Given the continuing popularity of Elon Musk’s X social network, and the swathing staffing cuts made when the world’s richest man bought what used to be (and still is in my mind) Twitter, it doesn’t make the cybersecurity headlines as much as you might have thought. With PayPal users currently warned of ongoing attacks, ditto WordPress website owners, and even LastPass password manager customers, all being in the threat actor crosshairs, this is a good thing. However, X users have now been warned that unless they make a change to a legacy Twitter security setting, they will be locked out of their accounts from November 10. Here’s what you need to know.
The X Safety Team Issues Clarification After Warning Of Twitter Account Lockouts
Whatever you call it, X or Twitter, the social network isn’t immune to security threats. This year alone, I have reported on outages caused by a claimed DDoS attack and a warning for 650 million X users not to change their passwords. Sometimes, though, the perceived security threat comes from inside the building. Such was the case after the X safety team tweeted on October 24: “After November 10, if you haven’t re-enrolled a security key, your account will be locked until you: re-enroll; choose a different 2FA method; or elect not to use 2FA.”
This, rather unsurprisingly if you ask me, created a wave of concern amongst both ordinary users and security experts on the social media platform. One asked whether not using 2FA meant their account would remain active; another asked whether there had been a security breach; and another asked whether this only impacted passkey users?
The confusion sat with X warning that “all accounts that use a security key as their two-factor authentication method to re-enroll their key to continue accessing X,” and adding that users could “re-enroll your existing security key, or enroll a new one.” A typical example of someone who knows what they are talking about but not how to communicate that in such a way to people who do not. Translating tech-speak into ordinary language is an essential skill and one that the X safety team appears to have misplaced on this occasion.
What X should have said, and ended up being forced into actually saying a day later, was: “To clarify: this change is not related to any security concern, and only impacts Yubikeys and passkeys – not other 2FA methods (such as authenticator apps). Security keys enrolled as a 2FA method are currently tied to the twitter.com domain. Re-enrolling your security key will associate them with x.com, allowing us to retire the Twitter domain. If this relates to you, you’ll be prompted automatically to re-enroll.”