X -Twitter Account gehackt?
Ich habe einen Twitter-Account, der inaktiv war. Eigentlich dachte ich, dass ich ihn gelöscht habe. Heute Morgen habe ich jedoch vier E-Mails von Twitter erhalten:
- Die erste enthielt einen Code zur Bestätigung des Logins.
- Zwei weitere informierten mich darüber, dass sich jemand eingeloggt hat.
- Die letzte E-Mail besagte, dass die Zwei-Faktor-Authentifizierung aktiviert wurde.
Ich verstehe nicht, wie das möglich ist, da ich es für unwahrscheinlich halte, dass mein E-Mail-Account gehackt wurde. Ich nutze das Login-Verfahren von Microsoft, bei dem man die App per Face ID entsperren und anschließend aus drei Zahlen die richtige auswählen muss.
Ich frage mich, woher derjenige den Code aus der ersten E-Mail gehabt haben könnte. Das beunruhigt mich.
(3 votes)
Loading...
Unfortunately, this is exactly what happens without 2FA, as there is no Chapta or Faceid, without 2FA there is no more security today. In addition passwords always (so I make it at least) 20 characters long (numbers, letters/large+small, underscores, special characters, etc.)
A good PW would be: kyLCg,V(vqb_5g8pVr)uW*u
In addition, use a TOTP (time-based one-time password) as 2FA. It is regenerated every 60 seconds. You can do this, for example, by Google Authenticator. Since in the settings of the respective app and a generated QR code, the Authenticator app creates a code that must then be used for verification.
To get into my email account, I need to open the Microsoft Autenticator app that is 2FA. There is no registration or the like in my email account. But I don’t understand how the hacker got the code from the mail, can you handle it on Twitter?
Basically, the security of 2FA (e.g. via an Authenticator app or via e-mail) is based on the assumption that only you have access to your primary account and the associated communication channels (e-mail, app). Therefore, if the hacker was not logged into your email account and there is no unusual registration, it is unlikely that he could capture the 2FA code directly from the email – provided that all communication paths (e.g. TLS encrypted connections) are correctly secured.
But there are theoretically some attack scenarios that would be possible in other contexts:
Regarding Twitter:
I am currently not aware of known procedures or vulnerabilities that enable Twitter-2FA to be handled in a targeted manner if the entire communication path (including email and authenticator) is properly secured. If Twitter 2FA is correctly implemented, security is based on the ownership of the devices or devices. Accounts – a circumvention is usually not intended and should not be possible without a vulnerability.
In summary:
If the attacker has really not reached your e-mail account and no unusual registration is detectable, it is likely to be another attack vector (such as insecure networks, phishing or a compromised device) that could have captured the 2FA code. In Twitter, unless there are any of these other vulnerabilities, there is no known trick to bypass 2FA.
Thank you very much, I think I’ve put myself wrong at Twitter wasn’t 2FA active just password because I actually had deleted this account as far as I know. I then got a mail this morning at 4 with the confirmations code to log in, then an email that someone logged in and then an email that someone activated the 2FA on twitter.