Mandiant admits hacked X account didn’t have 2FA

Share post:

Mandiant says the loss of control of its X/Twitter account last week was likely caused by a brute force password attack on one employee’s account by a cryptocurrency scammer.

Normally, two-factor authentication (2FA)would have mitigated the attack, the Google-owned division said in a tweet on Wednesday, “but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We’ve made changes to our process to ensure this doesn’t happen again.”

The tweet doesn’t explain the change in X’s 2FA policy, or how it contributed to the hack.

There is no evidence the attacker used malware or compromised any Mandiant or Google Cloud systems in the moves that led to account takeover, Mandiant also said in a separate blog.

In a brute force attack, a threat actor submits stolen usernames and passwords, passphrases or a list of suspected passwords to a login page until the correct one is found.

The threat actor who got access used it to post links to a cryptocurrency drainer phishing page. Drainers are malicious scripts and smart contracts that actors can leverage to siphon funds and/or digital assets, such as non-fungible tokens, from victims’ cryptocurrency wallets after they are tricked into approving transactions.

Along with the explanatory tweet, Mandiant published a detailed blog on a drainer it calls Clinksink which was temporarily leveraged by the attacker. “Numerous actors have conducted campaigns since December 2023 that leverage the Clinksink drainer to steal funds and tokens from Solana (SOL) cryptocurrency users,” it says.

The identified campaigns included at least 35 affiliate IDs that are associated with a common drainer-as-a-service (DaaS) which uses Clinksink. “The operator(s) of this DaaS provide the drainer scripts to affiliates in exchange for a percentage of the stolen funds, typically around 20 per cent. We estimate the total value of assets stolen by affiliates in these recent campaigns to be at least US$900,000.”

It’s not uncommon for attackers to use social media and chat applications, including X and Discord, to distribute cryptocurrency-themed phishing pages that entice victims to interact with the Clinksink drainer, the report says.

The incident is another example of why organizations have to ensure their social media accounts are locked down to prevent crooks from taking them over and leveraging their access for profit or mischief.

This week, the U.S. Securities and Exchange Commission briefly lost control of its X account. In a tweet, X said the SEC didn’t have two-factor authentication protection enabled on the account. It said the cause was “an unidentified individual obtaining control over a phone number associated with the [SEC] account through a third party.”

The post Mandiant admits hacked X account didn’t have 2FA first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Costs from Global CrowdStrike Outage Could Exceed $1 Billion

The global tech outage caused by a faulty CrowdStrike update on Friday could result in damages exceeding $1...

CrowdStrike update: Warnings from national cyber agencies, repair options from Microsoft

National cybersecurity agencies in the U.S., Canada, the U.K. and Australia issued security warnings about the faulty CrowdStrike...

CrowdStrike update causes global IT outages, fix is available

Some airlines, banks and government services around the world have been affected by a faulty software update for...

Charges dismissed in SolarWinds hacking case

A judge has dismissed most of the Securities and Exchange Commission's (SEC) fraud charges against SolarWinds related to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways