A cryptocurrency that claims to be the most secure on the market has had its Twitter account hacked, with customers scammed into handing over funds via a fake promotion.

The hacking of the Twitter account of the Verge cryptocurrency occurred Tuesday. Hackers asked Verge followers to donate Verge tokens, called XVG, to a fraudulent wallet for a chance to receive double the amount in return. It’s a scam that apparently has been running rampant in the altcoin business over the last few months, according to The Next Web.

Missing the irony, Verge itself claimed that the hackers leveraged a password used by a developer that had been exposed in Yahoo hacks to access an initial account, then tricked AT&T into transferring a number linked to the account.

Phil Tully, principal data scientist at ZeroFOX Inc., told SiliconANGLE that users are “notorious for setting identical or highly similar passwords across different digital channels, and attackers use them to pivot to a victim’s other social, email, retail or banking accounts, compounding the initial damage.”

Called “credential stuffing,” these incidents tend to spike in frequency following large-scale breaches like the one affecting Yahoo. Tully said many high-profile social and digital accounts have been compromised through credential stuffing in the past.

“Social and digital accounts associated with cryptocurrencies are prime targets for account takeovers because they are followed by hundreds of thousands of wallet holders,” Tully explained. “When an account like Verge is taken over, attackers can use the legitimate account to spread scams to eager followers and funnel irreversible cryptocurrency transactions directly into their own wallets.”

Unfortunately, he said, this is “par for the course on social media, which provides access to a key demographic of digitally connected people who are most interested in getting into the booming crypto game, but who also lack the specialized expertise necessary to tell a legitimate from an illegitimate offer.”

Tully said he always recommends users enable two-factor authentication of their social media account. But in this case, the hacker managed to intercept the second login through a “phone porting attack,” that is, tricking AT&T to transfer ownership of the number used for that authentication.

“Twitter recently added support for app-based 2FA through third-party services like Google Authenticator and Duo Mobile, which avoid sending the secondary login code to a taken over phone’s text messages,” Tully noted. He suggests using long nonoverlapping and frequently rotated passwords for each social media account, as well as checking to see whether any personal account has ever been compromised in a large-scale data breach using a service such as haveibeenpwned.com.

Image: Verge