Twitter’s CFO clearly wasn’t using two-factor authentication. Which is silly of him

Graham Cluley
Graham Cluley
@[email protected]

Anthony NotoTwitter has been providing users with a way to better protect their accounts from phishers and hackers for some time now.

The extra layer of security you can add to your Twitter account is called login verification by the site (commonly known as two-factor authentication on other services), and means that even if a bad guy manages to steal your password they won’t be able to access your account.

That’s because having a username and password isn’t enough to break into a Twitter account if two-factor authentication is enabled.

Instead, Twitter sends a short SMS message containing a random number to your mobile phone, and you need to enter that before access to the account is granted.

Sign up to our free newsletter.
Security news, advice, and tips.

Alternatively, you can set up login verifications to send a login request to the official Twitter app on your iPhone or Android.

Most of the time, a hacker who has your password is unlikely to also have access to your phone.

Anyone who cares about securing their Twitter account already knows this, of course.

But not, it seems, Twitter’s own CFO.

Tweets from Twitter's CFO

Anthony Noto (@anthonynoto) had his account hijacked earlier today, sending almost 300 spam messages to his 13,000 followers.

Okay, so this happens every day to many people. But really, Noto should have done better. Twitter should be drumming into its staff how to secure their accounts against potential attacks rather than having them hijacked with seemingly such ease.

Chances are that he wasn’t specifically targeted, and was just yet-another-Twitter-user falling into a phishing trap.

But imagine if the attackers had realised whose account they had compromised and used it to their greater advantage?

It’s easy to imagine how direct messages from an account belonging to Twitter’s CFO could have directed other staff to dangerous links, for instance.

I’m also disappointed by Noto’s response. He could have used the opportunity to remind his followers of the additional security features that Twitter offers – but instead, he just tweeted “Back on the field!” once his account was restored.

According to TechCrunch, the breach of Noto’s account only lasted about 20 minutes before being shut down by (one assumes) one of the CFO’s colleagues at Twitter.

Let’s just hope he wasn’t using the same password at any other online account, eh?

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Twitter’s CFO clearly wasn’t using two-factor authentication. Which is silly of him”

  1. Andy

    So why isn't twitter, or any of the others, making multi factor auth mandatory? Or, make it mandatory after you hit a certain follower threshold? After all, they force you to use a password. I have multi factor auth set up on all my social media accounts and any other site that allows it. It's foolish not to use it. It's free…free….

  2. RealityBites

    How sad that the programmer world is so utterly pathetic that people have to take outlandish methods just to keep losers out of their account.

    One thing that can always be counted on… if its programmed, it will be full of holes, insecure and probably incapable of doing what it was supposed to. The software really is about 15 years behind the hardware.

    Just pitiful.

    1. Coyote · in reply to RealityBites

      All software has bugs. That is simply because programmers are human; no one is perfect. But to blatantly state:

      "One thing that can always be counted on… if its programmed, it will be full of holes, insecure and probably incapable of doing what it was supposed to."

      … is rather taking programmers for granted, taking software that you use (whether you like it all or not) for granted… and it is frankly arrogant and not at all nice, to make such claims. You could argue those things about pretty much everything in this world. For what its worth, some programmers DO care about their software, they DO fix bugs as soon as they are discovered (often spending more time on it than other things!) and that is even with the attitude you have. There's more they do, too. Why do I bring it up? Because I'm one of those programmers that DO care about (his) work and I've done ALL of the above (and more). And I'll add that my software DOES do what it is supposed to do. It also is ahead of hardware, where that applies.

      By the way, programming is irrelevant to the topic here. 2FA is nothing new; indeed, corporations using securid (not a typo) cards years (decades? there we go) ago. Furthermore, security was, is, and always will be a many-layered concept. Anyone claiming otherwise is ignorant of security on a whole. Similar is having privilege separation. It isn't like having unprivileged access to a system means you can control the entire system, modify everything (or indeed read everything). No, not at all. Maybe in Windows it is that way but Windows isn't exactly old compared to other operating systems (neither is MacOS) but I would suspect by now they woke up to that risk. That itself is more than one layer.

      No, it isn't pitiful at all. Never mind that your post is offensive and instead consider this: if you're so against programmers, stop using their software. If not, you're only being counter productive – indeed, rather than be offering constructive criticism, you merely criticise over supposed guarantee that programmers are so 'pitiful' that they only have bugs.

  3. John

    Apart from normal dumbness, there's even more to it: not using 2FA by the CFO of Twitter could .. well…. have led to REALLY serious financial damages on the stock exchange.

    Granted, most likely the hackers were not even aware of the account they had hacked. But imagine that they were – they could have EASILY forced the Twitter (TWTR) stock to collapse in a matter of minutes. Only to see the stock rebound thereafter. And making big (and I mean BIG!) money on both sides of the volatile stock. Hundreds of millions, if not billions, could have been made on those trades.

    This is not just a tech issue – it is a matter that should be examined thouroughly by the SEC, including some hefty fines for the CFO involved. This is NOT just "some" hack.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.