Credit: The original article is published here.
Poor Elmo. The adorable, perpetually 3-year-old Sesame Street character loves us, but someone clearly does not love the furry red guy back. Hackers took over his popular X (formerly Twitter) account on Sunday and posted some decidedly un-Elmo-like content. It’s surprising for a character and platform that are focused on teaching us likely missed a basic rule of social media: always set up Two-Factor Authentication.
All the deeply offensive posts have since been removed from Elmo’s account, which has over 684,000 followers, and while Sesame Street has publicly commented on the hack, Elmo’s account has been silent for the last 48 hours.
To think, this probably all could’ve been avoided if Sesame Workshop, which runs the account, had learned one simple lesson.
T is for Two-Factor Authentication.
If you have a Blue check (or any color official check) on your X account, you’re likely a target. Elmo’s account is verified, though we think it should be a red check. For a time, it was hard to identify verified accounts because X CEO Elon Musk removed them in 2023, demanding that anyone who wanted one pay $8 a month. He relented a year later, and accounts like Elmo’s got their checks back. It was good news, except for the fact that hackers instantly knew again exactly who to target.
Tied up in verification was Two Factor Authentication, or rather, how you could verify. X ended SMS (text-based) verification for non-paying members and instead favors codes and security keys.
But I digress. It helps to explain two-factor authentication (also known as 2-factor-auth and 2FA) in a way that Elmo can understand.
Elmo likes to learn
Elmo. Elmo, look at me. Please stop playing with that puppy and look at me.
Yes, yes, I know, “Elmo loves me.” Please, listen.
You know that X account that you love using so much, the one where you offer hugs and ask us all to come outside and play?
I know, right, it used to be called “Twitter.” No, I do not know why they changed the name.
Let’s focus.
Your X account has your name, and you use it by signing in, right?
Yes, Elmo, you’ve done a very good job with that. I see you on the account every day, so you clearly know how to sign in. That’s very good, Elmo.
But, Elmo, your account is missing something.
No, wait, Elmo, do not go running off to look for it. It’s not something you dropped.
You need to make it harder to log in. You need to add something called “Two-factor authentication.”
Harder is sometimes a scary word, but not this time, and, yes, “authentication” is a big word. I can help.
The ABCs of security
It’s simple, Elmo, when you sign into your account, you will also need your phone with you to generate a code.
Yes, Elmo, I do see your phone. It’s very nice. I know you don’t use it all the time. You’re good about that.
Two-factor authentication simply means, Elmo, that when you sign in, there is a second step (or factor) you need to accomplish before you can use your account again.
First, you should enable Two Factor Authentication on your X account. This does mean you’ll need the email you used to create the account. Ask the adults at Sesame Workshop to find it. They will also need to enter the password and then verify the use of a secondary login method.
Now, Elmo, here’s where it gets a little complicated. Once this is set up, after you sign in – Elmo, stop playing with Tango for a second and look at me – Twitter will ask you for a code.
I use, and I think you could too, Google’s Authenticator
App. Once this is set up, after you try to log in (you or a trusted adult, Elmo), you’ll be asked for a code. You simply open the Google Authenticator app and grab the code that is shown for X, and then enter it in X.
After that, Elmo, you’re done.
Yes, yes, Elmo, it is exciting. No, I don’t think it’s fun, but it’s fine if you do.
Give 2FA a hug
Okay, I think Elmo gets it.
Hopefully you do. The technology here is simple: a hacker can’t sign into your account without that secondary verification system. They need that code, which is only coming to the app and the phone in your hand.
I promise that hackers will try, and you may get emails about their attempts, but they will likely fail because hackers do not have that code and cannot complete the login. Also, 2FA isn’t just for X; it’s a valuable security tool for any online account, including email, banking, and work accounts.
One more thing for you and, oh, Elmo, come back here for a second. Everyone should change their passwords every six months. This makes it difficult for hackers who have hoovered up your information in a data breach to use old passwords to access your accounts.
I know, Elmo, you love us. We love you, too.
