Two-Factor Authentication Blocks 85% of X Account Attacks: Real-World Case Analysis
Security researchers monitored a live botnet operation targeting account credentials on platform X. Within just 12 minutes, the system tested over 720,000 login combinations—but 85.6% of accounts remained secure thanks to two-factor authentication (2FA).
Scale and Mechanics of the Attack
The botnet used credential stuffing—a technique that automates the use of stolen username-password pairs from previous data breaches. In total, it attempted 4.8 million logins and successfully compromised 138 accounts. The infrastructure spanned 18 servers within a subnet operated by Turkish provider Komuta Savunma Yuksek Teknoloji Limited Sirketi in Ankara. The command-and-control panel hosted on a Hetzner server (144.76.57.92:5000) was left publicly accessible without authentication, enabling real-time observation.
Key features of the control panel:
- Upload of credential databases;
- Start/stop scanning operations;
- View breach statistics;
- Export compromised accounts;
- Access root passwords for all 18 servers via SSH.
The campaign rolled out in waves from December 2025 through January 2026, peaking on February 24, 2026. Additionally, the main server exposed RDP, SMB, and WinRM ports—common entry points for lateral movement.
2FA Effectiveness in Numbers
The primary defense barrier? Two-factor authentication. The botnet only succeeded in taking over accounts lacking 2FA, automatically skipping protected ones. This aligns with broader research: properly implemented 2FA reduces credential stuffing risks by up to 99%.
Why this attack worked:
- Massive availability of leaked data (billions of credentials on dark web markets);
- Widespread password reuse among users;
- 14.4% of targeted accounts had no 2FA enabled.
Threat Context and Infrastructure Deployment
Credential stuffing continues evolving alongside growing data breaches. According to Verizon DBIR 2025, 80% of breaches involve compromised or weak credentials. Clues like interface language and server names labeled "Sunucu" point to regional threat actors based in Turkey—many of whom favor Hetzner for its anonymous registration policies.
No prior indicators were found in VirusTotal, ThreatFox, or AbuseIPDB, highlighting how attackers now deploy "clean" infrastructure to evade detection. For the industry, this means platforms like X are enhancing automated monitoring—but user-level responsibility remains critical.
Key Takeaways
- 85.6% of attacks were stopped by 2FA, confirming its role as essential baseline protection;
- The botnet compromised 138 accounts out of 4.8 million attempts due to missing multi-factor security;
- An exposed admin panel revealed root passwords for 18 servers, putting the entire network at risk;
- Activity since December 2025 underscores the rising threat of credential stuffing;
- Users on X are strongly advised to enable 2FA immediately to reduce exposure.
Implications and Recommendations
This incident highlights the vulnerability of accounts without 2FA—attackers always go after low-hanging fruit. Industry-wide, we’re seeing increased investment in MFA (multi-factor authentication). Compromised accounts often lead to phishing campaigns or resale on underground forums.
Experts recommend:
- Enable 2FA wherever possible (apps like Google Authenticator; SMS as fallback);
- Use unique, strong passwords managed through tools like Bitwarden or LastPass;
- Monitor personal exposure via Have I Been Pwned.
Real-world cases like this are accelerating 2FA adoption: Google reports that global usage reached 70% by 2025.
— Editorial Team
No comments yet.