pleroma.debian.social

pleroma.debian.social

Our Snopes account was hacked on X (formerly twitter) and we got locked out for six weeks. We finally just got it back!

See the full story in the comments below for what we had to do to get someone/anyone at X to help us.

From Snopes CEO

1/8
On Jan 31st, one of our employees said they couldn’t log in to our Snopes X account. I checked our site email and noticed that a minute earlier, we received an email from X saying someone new logged into our Snopes account. I didn’t recognize the location and then I saw another email that came directly after saying “X two-factor authentication is good to go”.

That’s when panic set in.

2/8
I immediately reset the password with the “forgot password” link but we were still locked out as I couldn’t login without the two-factor authenticator. Thankfully no one ever posted as Snopes so I’m guessing that resetting the password also kicked out the hacker as they didn’t get a chance to change the email and phone number.

3/8
I reached out to X help support many times over the last 6 weeks with no response. I tried the form saying we were hacked and the form saying we were having trouble with our two-factor authentication. No help.

@snopes That place is cursed

4/8
I tried paying for the $1,000/month X Verified Org plan (even though Snopes already had this for free) to get Priority Support. After submitting payment I clicked “Contact us” and there was a special email to contact. Finally, a way to talk to someone at X! Nope. I received an auto responder a couple minutes later saying “This email address has ben deprecated” (with the “been” typo). It then directed me back to the help center I’ve been trying to get help from for 6 weeks.

5/8
I tried adding dozens of people on LinkedIn that say they work at X. Four of them accepted the invite and zero of them responded when I asked for help of who I can talk to at the company. I then tried signing up for linkedIn Premium to send more messages to X’ employees but again no responses from anyone.

6/8
I asked Grok what we should do but we already tried all of the suggestions.

7/8
Finally, I went back to Grok and asked if there were any other well known employees at X. Of course, it listed Elon and Linda, but they both have PM’s disabled. And then it listed John Stoll, X’s new head of news. I thought, of anyone, the head of news would be the most likely to help us, so this felt promising. I sent him a PM on X from my personal account and in less than 2 minutes he responded and said he would take care of it.

8/8
90 minutes later he gave us confirmation from support saying our account was hacked and they are resetting it for us. A few minutes later we had our Snopes account back!

In summary, always use two-factor authentication. We left it off because we had multiple employees logging into the account, but clearly it’s not worth the risk.

X has the worst customer support I’ve ever seen, even if you pay $1,000/month you can’t email them.

Grok did help save the day by pointing us to John Stoll.

@snopes it's always a good day to shit-can Twitter.

@snopes so you've downloaded your history and closed the account right?... right?

@snopes Could you help me understand why you folks think it's a good idea to not only keep doing free labor for Elon Musk, but to give him a lot of money to reward them for being awful?

@snopes I’m glad you got it back, but this is really an artifact of the drastic staff reductions Musk made. I am a bit surprised - ok not really surprised - that they didn’t have anyone to help you even though the put down $1k

@snopes I'm glad you got things under control.

Moving forward may I recommend that the current ownership of that network should be added to your threat model as an adversary. I think you got lucky this time and the owner of that network may actually work against you in future. Plan for that contingency.

I certainly would not recommend giving them any money regardless.

We're glad you're here on the fediverse, keep doing the good work

@snopes so.. you're shutting it down, right

@snopes Please tell us you were looking in the mirror while writing this thread and asking ‘WHAT the f*k am I still doing on shitter?’! Otherwise, most of us are ‘cry me a river’. 

@snopes And this is probably what he'll do to our government if Trump lets him.

@snopes Haven't tested it, but can't you use something like 1Password to share 2FA tokens amongst multiple employees? That should be a solvable problem.

@snopes

You do what you think you have to do, but I'd seriously consider totally pulling everything you have there from MusKKKrat's app and shutting that account down. It's not worth throwing $1K of your hard-earned money at.

@snopes This justifies a credit card chargeback unless they made you pay with fucking paypal

@snopes it’s not quite as secure, but you can use a password manager to help with this. Each employee gets their own account, with a shared login item that stores a password and TFA key. Everyone has access to the TFA codes. If one person updates the account password, everyone gets it. If someone needs to be locked out, their access to the login item is revoked.

@snopes

> In summary, always use two-factor authentication.

2FA is a double-edged sword: you have to reveal a phone number in order to use it, and if the location where that number is stored is ever compromised - AND IT WILL BE - you've now had your phone number as well as everything else they knew of your identity stolen. And that phone number is golden for social engineering especially.

It's for this reason, as well as the general irritation of it, that I never ever use 2FA.

@snopes well, when you are cutting costs instead of working out "efficiency" in your own businesses, I guess, what can you expect?

Efficiency, in my humble opinion, goes two ways. It surely wasn't very efficient for you to have to try for 6 weeks to get help and get nothing.

DOGE might have to come to the rescue of X?

@snopes
Thanks for getting back to us. I've been wondering.

@snopes you can still use 2FA with multiple people. Copy the QR code (or TOTP code it encodes) and send it (ideally on Signal) to the people who you want to authorize. Make sure they delete that image/code after sharing as it is the real MFA key.

@snopes it's trivial to setup 2fa across multiple devices using the code method with proton pass, Google auth, or virtually anything else. Bitlocker I believe has a corp management system.

Can bad actors still compromise you? Sure. Is insider risk still bad? Absolutely. Is it better than no 2fa? Oh yeah.

@snopes

So maybe get off X? 🤷

@snopes I think you learned the wrong lesson from all this

@snopes
Definitely nothing happened during that time that required any fact checking on there

@snopes I think it's amazing you actually managed to get a response from a real human! Glad you got your account back. What a pain though!

@snopes I strongly suspect that if Snopes was a right wing organisation the reconnection would have been rapid. In my experience, Maga people consider Snopes as ‘radical liberal’ (that’s what comes from being rigorously neutral).

@snopes I dont give a fuck what fascist websites do, that is why we made this good one baby

@adamhotep @snopes rather than using Signal, I suggest self hosting an #XMPP server with accounts for key people. Create a group for sharing MFA keys and keep this sensitive information under your control. If your xmpp server was, say chat.snopes.com, then you can leverage DNS security to have confidential discussions with external people too. See [It is good to be a tree}(https://wordpress.debian.social/jlines/2021/01/12/it-is-good-to-be-a-tree/)

replies
0
announces
0
likes
1

@snopes

I hope you put a thousand dollars into infosec.exchange.

Here's their donate account: https://liberapay.com/Infosec.exchange/ and https://ko-fi.com/infosecexchange Jerry also has paypal check his profile.

But alas. A thousand dollars to Elon "arm movement" Musk out of blind panic makes your reputation much, much worse than before. It would have been better if you hadn't said anything at all.

@snopes

So, whilst your X account was unavailable to you, did you consider posting to fedi instead?

I guess not, as your last post prior to this thread was 17 days ago!

As others have said, maybe there's a lesson to be learned (apart from the account security one).

@snopes Just deactivate the account already. Waste of time and effort.

@snopes That's unfortunate. X should really be paying you guys instead of the other way around.

@snopes

I have some online accounts where the only ‘second factor’ may be a physical address from 35 years ago.

@snopes In summary: why are you there? 😳😅

You barely post here, your last post was at 20/02 and then you came here and write a full thread to told us how you were mistreated, ignored and cheated by that corporate social web (because pay 1K for a non existent customer service is that: a scam)...

Please, come here and build a community or just don't tell us about there because you still decide to stay there... 🙄

@snopes You're making a great case for leaving X.

@snopes Snopes being on Twitter is just a bad fact. Fact check yourself into 2025.

@snopes does this mean you didn't have it on before that?

@snopes There is irony in existing to counter misinformation, then paying 1,000 dollars a month to one of the biggest misinformation silos online.