One hacker. Twenty-four years old. A laptop and a phone. That was all it took for Tyler Buchanan to compromise some of the most prominent technology companies in America. Using SMS phishing, Buchanan breached LastPass, Twilio, DoorDash, Mailchimp, and dozens of others. Estimated losses: $8 million. The Technique SMS phishing (smishing): Messages appeared to come from IT departments or SSO portals Links to pixel-perfect credential-harvesting pages Employees entered usernames, passwords, and 2FA codes The pivot: Once inside telecom companies via third-party breaches, the group performed SIM-swap attacks, transferring phone numbers to attacker-controlled devices and bypassing SMS 2FA entirely. The Victims Target / Impact LastPass / Encrypted password vaults for millions stolen Twilio / Customer MFA/SMS delivery systems accessed DoorDash / Customer and driver personal data stolen Mailchimp / Marketing accounts accessed Cloudflare / MFA bypassed using stolen session tokens Why SMS Phishing Still Works Organizations treat SMS as a trusted security channel BYOD corporate access on personal phones lacks endpoint protection SSO monoculture means one credential set grants access to dozens of systems SMS 2FA is not authentication -- SIM-swap transfers phone numbers in minutes Protection Never act on SMS links -- navigate directly to sites Use hardware security keys (YubiKey, Titan) for 2FA Enable app-based or hardware 2FA everywhere Organizations: Ban SMS 2FA for privileged accounts, deploy phishing-resistant identity systems Tyler Buchanan stole $8 million using a phone and a talent for deception. He never wrote exploit code. He did not need to. Check your Password Exposure against known breaches. Generate secure 2FA codes with our 2FA Code Generator.