A prominent activist had his Twitter account hacked using a method that takes only minutes
With a technique known as social engineering, a hacker was able to pose as McKesson in a phone call and over the web to gain full access to his account, completely negating the two-factor authentication on his cell phone.
"Today I learned that it is rather easy for someone to call the provider [and] change your SIM. The hacker got the account verification texts," McKesson tweeted.
Before McKesson regained access to his Twitter account, the hacker tweeted an endorsement of Donald Trump for president, and a tweet announcing that "I'm not actually black." Those tweets have been deleted.
In explaining what happened, McKesson said on Twitter that someone called Verizon customer service and impersonated him. The hacker was able to change the SIM of McKesson's phone to their own, thus redirecting all text message verifications to a phone under their own control.
With this, it was as simple as going through the "lost password" process online to get full access.
For example, Verizon Wireless' website asks for a customer's 10-digit phone number and billing zip code. With these two bits of information - which can often be culled from public sources - the user can then reset the account password through a text message.
The process is similar on Twitter. If a user has a lost password, they need to provide their Twitter handle and phone number. Though the process offers to reset the password via their email, users can request a text message instead.
A spokesperson for Verizon did not respond to repeated calls from Tech Insider.