Yat Siu
852 posts
Yat Siu
@yatsiu
Hong Kong
Joined September 2008
- Replying to @yatsiu12. I want to thank everyone who helped me in this, the great @animocabrands @Moca_Network community, of course the special team at X who helped secure and lock the account (I still don't have access to @ysiu yet) and special shoutout to @9GAG @lucanetz @tylerdurden88 @yusufg
- Just minted my Pencil Genesis Badge on @pencilfinance_ unlocking early access to loan bundles and boosting my Strokes points with a multiplier. Mint yours at pencilfinance.io/pencil-genesis… Let’s build on-chain education together.
- Replying to @yatsiu @animocabrands and 6 othersif you want to know what happened, this is what happened @zachxbt
- Replying to @yatsiu2. Hacker knew my password, don't know how but assume that breach vector should be secure as I was 2FA secured. He went to help.x.com/en/forms/accou… and used my original ID @ysiu and used an e-mail address that was not the registered e-mail address of the account!
- Replying to @yatsiu3. I simulated this over two accounts and recreated this same scenario and received this on the new email which requires me to confirm logging in over your platform which sends a notification to you that the "owner" requested to login (note it does not verify any further)
- Replying to @yatsiu10. For everyone else out there, from my lesson 2FA security on twitter (does not matter if its a security key) is not secure enough at this moment. Once your account is compromised 2FA can be turned off just by knowing your password. Access to your account settings is NOT 2FA
- Replying to @yatsiu4. Most importantly (and easy for X to fix) the actual email address that was registered (I tested this) and the actual owner of the handle received NO NOTIFICATION that there was a 2FA change request made, also no notification over SMS. This feature alone would have probably
- Replying to @yatsiu5. Continuing on, it then asked me on the email (assume that this would be the fake user attempting to get my 2FA account) for more verification as it could not verify that I was the actual account owner the following as attached, including a copy of a valid government issued ID.
- Replying to @yatsiu6. All of this is happening while the actual e-mail account or mobile number which was also registered received no notification of any of these requests happening. Something like "did you request to submit a government issued ID?". Now all the hacker needed was a valid ID.
- Replying to @yatsiu7. Valid or even FAKE IDs are fairly easy to get but in my particular case I was phished for one similar to how x.com/zachxbt/status… describes it but I never input my 2FA instead I was requested to submit my ID to verify my appeal. I was unable to recreate the form as the site
Replying to @zachxbt3/3 An example of a phishing email received by X users can be seen below and the emails all follow the same script: >send fake copyright infringement email >create a sense of urgency >trick user into visiting phishing site and resetting 2FA/password Makes sure to limit email - Replying to @yatsiu11. Having 2FA may give a false sense of security in that you feel you can be more relaxed because of it which is of course not true. 2FA is just another security layer and you cannot become more relaxed in other areas of security because of it (eg. changing passwords less
- Replying to @yatsiu8. Once the hacker got my 2FA removed he instantly installed his own 2FA in a fast series of actions while also changing my password all within a minute as can be seen here while also delegating to another account @BrandyMokkdokk which you should seriously investigate as well
