Kurt Got Got

Source: fly.io Date: 2025-12-10 URL: https://fly.io/blog/kurt-got-got/

Summary

Security incident essay by Kurt Mackey documenting how he was phished via a convincing fake Twitter/X security alert, resulting in Fly.io’s Twitter account being compromised for ~15 hours and used for a crypto airdrop scam. The post uses the incident to argue for phishing-resistant authentication (FIDO2, passkeys with origin-binding) as the only reliable defense: “Phishes are malicious proxies for credentials. Modern MFA schemes like FIDO2 break that proxy flow.”

Implications

Security / infrastructure substrate. The practical lesson is the one Mackey names: any system not behind phishing-resistant MFA will eventually be phished — and social media accounts are the easiest soft targets because they’re treated as low-priority relative to production infrastructure. For teams building agentic systems, the implication extends further: agents that hold OAuth tokens or API credentials face the same phishing surface if their credential management isn’t origin-bound. The gap between “we secured our infrastructure behind IdP + FIDO2” and “we left our Twitter on legacy MFA” is exactly the kind of gap that agentic credential sprawl (MCP OAuth tokens, service credentials) will create at scale.