@nelson@tech.lgbt · Jul 6, 2022 · 12:10 AM UTC

@nelson@tech.lgbt

@nelson@tech.lgbt @nelson

6 Jul 2022

This SMS is part of a spear phishing attack, right? It came along with what looks like a legit email from Twitter's password reset system.

Aaron Parecki · Jul 6, 2022 · 5:58 AM UTC

Aaron Parecki · Jul 6, 2022 · 5:58 AM UTC

Aaron Parecki @aaronpk

6 Jul 2022

Replying to @rodbegbie @nelson

Exactly, which is why we need to make strong non-phishable MFA much more accessible and stop using SMS for this

Jul 6, 2022 · 5:58 AM UTC

@nelson@tech.lgbt · Jul 6, 2022 · 1:20 PM UTC

@nelson@tech.lgbt @nelson

6 Jul 2022

Replying to @aaronpk @rodbegbie

I don't know if Twitter uses SMS for auth or not; mine is using a TOTP token. Twitter does have some protection against spurious password resets but I think it boils down to "do you know the email address for the account" which, well, of course anyone can guess that for me.