SYSTEM Cited by 1 source

Twitter / X.com¶

What it is¶

Twitter (rebranded to X in 2023; the canonical domain migrated from twitter.com to x.com) is a public microblogging platform. For sysdesign-wiki purposes, it's relevant as the target platform in a canonical account-takeover postmortem, and as a concrete instance of the legacy shared account pattern.

Why it's on this wiki¶

Twitter / X appears as the compromised surface in Fly.io's 2025-10-08 "Kurt Got Got" postmortem. Three reusable architectural observations the post canonicalises:

"x.com" is a structurally phishable domain¶

"Kurt complains that 'x.com' is an extremely phishable domain." (Source: sources/2025-10-08-flyio-kurt-got-got)

Single-character, short, generic domain; nearly zero visual entropy for a user to discriminate. The attack lookalike was members-x.com / alerts-x.com, which plausibly looks like official Twitter infrastructure. The wiki's broader lesson: when the domain is low-entropy, users can't do origin discrimination reliably, which makes machine-enforced origin-binding more, not less, important.

Account recovery is 2FA-reset-gated, ~15 hours¶

"The attacker immediately revoked all tokens and set up new 2FA, so while we were quickly able to reset our password, we couldn't lock them out of our account without an intervention from X.com, which took something like 15 hours to set up. (That's not a knock on X.com; 15 hours for a 2FA reset isn't outside industry norms.)" (Source: sources/2025-10-08-flyio-kurt-got-got)

Industry-normal operational datum for recovery after attacker-set 2FA on a major social platform. Self-serve password reset is useless once the attacker rotates the second factor + email-of-record; the legitimate owner routes through the platform's human-reviewed recovery channel. Design implication for anyone operating accounts on major platforms: expect O(10+ hours) before recovery lands, plan comms accordingly.

Passkey support is available and the right fix¶

"Either way: our Twitter access is Passkeys now." (Source: sources/2025-10-08-flyio-kurt-got-got)

X/Twitter supports WebAuthn / security keys / passkeys as a 2FA method. The Fly.io fix moves the account onto Passkeys, relocating the protection from plugin-side autofill behaviour (weak, defeatable by manual copy-paste) to authenticator-side cryptographic origin binding (strong, undefeatable by credential-copy-paste).

Seen in¶

Fly.io Kurt Got Got (2025-10-08) — canonical wiki instance. The @flydotio account was taken over via a phish targeting alerts-x.com → members-x.com reverse proxy. Fly.io's infrastructure was unaffected (all internal surfaces were behind Google SSO with phishing-proof MFA); Twitter/X was a legacy shared account outside that regime. 15-hour recovery via X support. Post-incident fix: Passkeys (sources/2025-10-08-flyio-kurt-got-got).

concepts/account-takeover-ato — the incident shape Fly.io's account suffered.
concepts/legacy-shared-account — the governance bucket Fly.io's Twitter account sat in.
concepts/phishing-resistant-authentication — the defence the account was retrofitted with post-incident.
concepts/passkey-authentication — the specific auth method Fly.io adopted.
companies/flyio — the affected org.