SnopesOur Snopes account was hacked on X (formerly twitter) and we got locked out for six weeks. We finally just got it back!
See the full story in the comments below for what we had to do to get someone/anyone at X to help us.
From Snopes CEO
1/8
On Jan 31st, one of our employees said they couldn’t log in to our Snopes X account. I checked our site email and noticed that a minute earlier, we received an email from X saying someone new logged into our Snopes account. I didn’t recognize the location and then I saw another email that came directly after saying “X two-factor authentication is good to go”.
That’s when panic set in.
2/8
I immediately reset the password with the “forgot password” link but we were still locked out as I couldn’t login without the two-factor authenticator. Thankfully no one ever posted as Snopes so I’m guessing that resetting the password also kicked out the hacker as they didn’t get a chance to change the email and phone number.
I immediately reset the password with the “forgot password” link but we were still locked out as I couldn’t login without the two-factor authenticator. Thankfully no one ever posted as Snopes so I’m guessing that resetting the password also kicked out the hacker as they didn’t get a chance to change the email and phone number.
3/8
I reached out to X help support many times over the last 6 weeks with no response. I tried the form saying we were hacked and the form saying we were having trouble with our two-factor authentication. No help.
I reached out to X help support many times over the last 6 weeks with no response. I tried the form saying we were hacked and the form saying we were having trouble with our two-factor authentication. No help.
4/8
I tried paying for the $1,000/month X Verified Org plan (even though Snopes already had this for free) to get Priority Support. After submitting payment I clicked “Contact us” and there was a special email to contact. Finally, a way to talk to someone at X! Nope. I received an auto responder a couple minutes later saying “This email address has ben deprecated” (with the “been” typo). It then directed me back to the help center I’ve been trying to get help from for 6 weeks.
I tried paying for the $1,000/month X Verified Org plan (even though Snopes already had this for free) to get Priority Support. After submitting payment I clicked “Contact us” and there was a special email to contact. Finally, a way to talk to someone at X! Nope. I received an auto responder a couple minutes later saying “This email address has ben deprecated” (with the “been” typo). It then directed me back to the help center I’ve been trying to get help from for 6 weeks.
5/8
I tried adding dozens of people on LinkedIn that say they work at X. Four of them accepted the invite and zero of them responded when I asked for help of who I can talk to at the company. I then tried signing up for linkedIn Premium to send more messages to X’ employees but again no responses from anyone.
I tried adding dozens of people on LinkedIn that say they work at X. Four of them accepted the invite and zero of them responded when I asked for help of who I can talk to at the company. I then tried signing up for linkedIn Premium to send more messages to X’ employees but again no responses from anyone.
6/8
I asked Grok what we should do but we already tried all of the suggestions.
I asked Grok what we should do but we already tried all of the suggestions.
7/8
Finally, I went back to Grok and asked if there were any other well known employees at X. Of course, it listed Elon and Linda, but they both have PM’s disabled. And then it listed John Stoll, X’s new head of news. I thought, of anyone, the head of news would be the most likely to help us, so this felt promising. I sent him a PM on X from my personal account and in less than 2 minutes he responded and said he would take care of it.
Finally, I went back to Grok and asked if there were any other well known employees at X. Of course, it listed Elon and Linda, but they both have PM’s disabled. And then it listed John Stoll, X’s new head of news. I thought, of anyone, the head of news would be the most likely to help us, so this felt promising. I sent him a PM on X from my personal account and in less than 2 minutes he responded and said he would take care of it.
8/8
90 minutes later he gave us confirmation from support saying our account was hacked and they are resetting it for us. A few minutes later we had our Snopes account back!
In summary, always use two-factor authentication. We left it off because we had multiple employees logging into the account, but clearly it’s not worth the risk.
X has the worst customer support I’ve ever seen, even if you pay $1,000/month you can’t email them.
Grok did help save the day by pointing us to John Stoll.
The Turtle@snopes it's always a good day to shit-can Twitter.
William Pietri@snopes Could you help me understand why you folks think it's a good idea to not only keep doing free labor for Elon Musk, but to give him a lot of money to reward them for being awful?
Shdwdrgn@snopes So what you're saying is that everything about X is worthless, and not worth paying a cent towards? 😁
I follow you here, and just found you on Bluesky. Glad you got your account back, but was it really worth it? Is anyone on that platform even interested in facts?
Jerry 🦙💝🦙@snopes I’m glad you got it back, but this is really an artifact of the drastic staff reductions Musk made. I am a bit surprised - ok not really surprised - that they didn’t have anyone to help you even though the put down $1k
Ken
Jonathan Snyder@snopes I take it you didn't even get your $1000 back or did they keep it as privilege for their lack of support?
My Head’s Exploding 🤯 💥@snopes Please tell us you were looking in the mirror while writing this thread and asking ‘WHAT the f*k am I still doing on shitter?’! Otherwise, most of us are ‘cry me a river’. 
Bård H. (lvl 49 🇳🇴)It's Snopes... They fact check
They're doing the whole world a huge favour by being present where people are incapable of understanding the difference between their own opinions vs documented facts
@baardhaveland @snopes Facts mean nothing to a cult.
The only way to be absolutely sure about the outcome of a challenge, is to give up
Martin Vermeer FCD@leswarden @snopes And the still remaining clientele there is hardly a sympathetic audience for the type of service Snopes is supposed to be offering. They are unintentionally offering a different kind of service: undeserved legitimation.
Stefen Hudson@snopes And this is probably what he'll do to our government if Trump lets him.
random thoughts
Preston Maness ☭@snopes you can probably still share the two-factor with multiple employees if they're using standard TOTP.
sayitintexan@snopes Haven't tested it, but can't you use something like 1Password to share 2FA tokens amongst multiple employees? That should be a solvable problem.
ethergear@snopes This justifies a credit card chargeback unless they made you pay with fucking paypal
busta kitten@snopes so to summarize, you paid a nazi a bunch of money
I’m 481 Phones@snopes it’s not quite as secure, but you can use a password manager to help with this. Each employee gets their own account, with a shared login item that stores a password and TFA key. Everyone has access to the TFA codes. If one person updates the account password, everyone gets it. If someone needs to be locked out, their access to the login item is revoked.
VulcanTourist> In summary, always use two-factor authentication.
2FA is a double-edged sword: you have to reveal a phone number in order to use it, and if the location where that number is stored is ever compromised - AND IT WILL BE - you've now had your phone number as well as everything else they knew of your identity stolen. And that phone number is golden for social engineering especially.
It's for this reason, as well as the general irritation of it, that I never ever use 2FA. That would be TRIPLY true for a service like X that is a Known Bad Actor with Evil Nazi ownership that is just as likely to abuse any information you give it as any garden variety criminal that might acquire it. Oh, wait....
Jelle van der Pal@VulcanTourist @snopes you can use a simple OTP for 2FA actually in most cases, or a passkey, which will not require your phone number. Also, the kind of hacker you suspect, probably has no interest in you, as you are not a secret agent or something. I identify with my full name and number for decades online, and have no issues with that. Paranoid much?
@VulcanTourist @snopes That's not a bad trait 😉
leckse@VulcanTourist @snopes Twitter supports WebAuthn (U2F/FIDO Keys, Passkeys) and TOTP. They phased out SMS a while ago.
John K@snopes
Thanks for getting back to us. I've been wondering.
Thanks for getting back to us. I've been wondering.
Adam Katz@snopes you can still use 2FA with multiple people. Copy the QR code (or TOTP code it encodes) and send it (ideally on Signal) to the people who you want to authorize. Make sure they delete that image/code after sharing as it is the real MFA key.
@adamhotep @snopes rather than using Signal, I suggest self hosting an #XMPP server with accounts for key people. Create a group for sharing MFA keys and keep this sensitive information under your control. If your xmpp server was, say chat.snopes.com, then you can leverage DNS security to have confidential discussions with external people too. See [It is good to be a tree}(https://wordpress.debian.social/jlines/2021/01/12/it-is-good-to-be-a-tree/)
Rochelle@snopes congrats on getting your account back & secured. I understand the need for existence on X, given your profile. And yes, everyone should use 2FA. You found out the hard way, but everyone should become familiar with the ways offered to secure your account. Thanks for sharing.
@snopes it's trivial to setup 2fa across multiple devices using the code method with proton pass, Google auth, or virtually anything else. Bitlocker I believe has a corp management system.
Can bad actors still compromise you? Sure. Is insider risk still bad? Absolutely. Is it better than no 2fa? Oh yeah.
B-rad 🏳️🌈👨💻@snopes I think you learned the wrong lesson from all this
Inc Hulk 🧪@snopes I strongly suspect that if Snopes was a right wing organisation the reconnection would have been rapid. In my experience, Maga people consider Snopes as ‘radical liberal’ (that’s what comes from being rigorously neutral).
I AM BANKSY ☕ / 🗑🔥@snopes Just deactivate the account already. Waste of time and effort.
Sibshops@snopes That's unfortunate. X should really be paying you guys instead of the other way around.
Marcus Reynolds
ChancerubbageI have some online accounts where the only ‘second factor’ may be a physical address from 35 years ago.
Proto Himbo European@snopes You're making a great case for leaving X.