# Robert Scoble Vishing Hack Incident - Unified Knowledge Graph **Source URLs:** - [Grounding Post](https://x.com/Scobleizer/status/2053367142045847649) - [Grok Conversation](https://x.com/i/grok?conversation=2053503270107197590) - [Grok Share](https://x.com/i/grok/share/c9e0ced23ca84a93885259d243c2124f) **Generated:** 2025-05-10 **Skill:** kg-generator (powered by minimax_m2.5free) **RDF Resolver:** [https://x.com/Scobleizer/status/2053367142045847649](https://x.com/Scobleizer/status/2053367142045847649) **Attribution:** AI Agent: [OpenCode](https://opencode.ai) | Skills: [kg-generator](https://github.com/OpenLinkSoftware/ai-agent-skills/tree/main/kg-generator), [rdf-infographic](https://github.com/OpenLinkSoftware/ai-agent-skills/tree/main/rdf-infographic-skill) | LLM: [minimax_m2.5free](https://opencode.ai/models/minimax_m2.5free) | Platform: [Virtuoso](https://virtuoso.openlinksw.com/) --- ## Article Overview ### The Incident Robert Scoble, a prominent tech influencer and author of "The Infinite Retina", recounts his experience with a sophisticated social engineering attack that compromised multiple online accounts including his X (Twitter) profile. The incident occurred on May 10, 2025, while Scoble was driving to Tahoe, when he received an unexpected phone call from someone claiming to be from Google support. ### The Attack Vector The attacker initiated the hack by calling Scoble from **Warsaw, Poland**, with a convincing story about suspicious activity on his Google account. The call came at a strategic moment when Scoble was distracted—driving on a busy highway. This is a classic **vishing** (voice phishing) attack that exploits human psychology rather than technical vulnerabilities. ### How 2FA Was Bypassed What makes this incident particularly instructive is how the attacker bypassed two-factor authentication. The attacker started a legitimate login attempt to Scoble's Google account from Warsaw, which triggered Google's real 2FA prompt—a number challenge—on Scoble's phone. The attacker then instructed Scoble over the phone to "enter these numbers" to "secure your account." By following the attacker's instructions, Scoble unknowingly approved the attacker's login session. ### Account Compromise Chain Once the attacker gained access to Scoble's Google account, they could: - Use Google's Single Sign-On (SSO) to access X if the account was linked - Reset the X password using Google as the recovery email - Post unauthorized content from Scoble's profile The result: explicit images were posted from Scoble's X account to his followers. ### Scoble's Post-Mortem Analysis In his follow-up posts, Scoble acknowledged his mistakes: 1. **Believed the caller without verification** — didn't hang up and call Google back 2. **Didn't use AI for verification** — had Grok and ChatGPT available but didn't ask them 3. **Was in a panic state** — driving and stressed, impairing judgment 4. **Followed attacker instructions** — even changed password when told to ### Key Lessons The incident highlights that 2FA—especially push notifications and number-challenge prompts—assumes users will only approve legitimate attempts. Vishing attacks flip this assumption by creating urgency and positioning the scammer as a helper. The user's own 2FA approval becomes the attack vector. The **AI-first habit**—verifying suspicious situations with an AI before taking action—would have stopped this attack. Grok's analysis reinforces this recommendation, suggesting that always verifying support calls independently and using AI as a first verification step are critical security habits. --- ## Summary Robert Scoble recounts a social engineering hack via a phone call impersonating Google support, which compromised several accounts including X, leading to unauthorized explicit posts from his profile. The attempt originated from Warsaw. Google assisted in protecting his accounts during the incident. This unified KG combines analysis from both Grok conversation threads. --- ## Sources | Source | Type | Content | |--------|------|---------| | [Scobleizer Post](https://x.com/Scobleizer/status/2053367142045847649) | Grounding | Original incident report | | [Grok Conversation](https://x.com/i/grok?conversation=2053503270107197590) | Analysis | Grok's initial analysis | | [Grok Share](https://x.com/i/grok/share/c9e0ced23ca84a93885259d243c2124f) | Deep Analysis | Detailed step-by-step breakdown | --- ## Knowledge Graph Structure ``` :article (schema:Article) ├── :incident (VishingAttack) │ ├── author: :robertScoble │ ├── compromised: :googleAccount, :xAccount │ ├── originatesFrom: "Warsaw" │ ├── rdf:type: :vishingAttack │ ├── bypassed: :twoFactorAuthentication │ └── entryPoint: :credentialStuffing ├── :grokConversation (:GrokAnalysis) │ └── analyzes: :incident ├── :grokShare (:GrokAnalysis) │ ├── analyzes: :incident │ └── hasPart: :attackSummary, :attackDetails, :lessonsLearned, :preventionSteps ├── :faqSection (schema:FAQPage) ├── :glossarySection (schema:DefinedTermSet) └── :howtoSection (schema:HowTo) ``` --- ## Attack Details ### Entry Point The attacker already had Scoble's password (likely from malware, prior data breach, or credential-stuffing). ### The Vishing Call Attacker called Scoble pretending to be Google support, warning about suspicious activity "coming from Warsaw." ### 2FA Bypass While on the phone, the attacker started a real login attempt to Scoble's Google account from Warsaw. This triggered Google's 2FA push notification. The attacker instructed Scoble to "enter these numbers" - and Scoble did it, unknowingly approving the attacker's login. ### Account Compromise With Google account access, the attacker could: - Use Google SSO to access X directly - Reset X password via Google recovery email - Post explicit images to Scoble's X profile --- ## Scoble's Mistakes 1. [Believed the phone caller without verification](https://x.com/Scobleizer/status/2053367142045847649#lessonsLearned) 2. [Didn't pause to check with an AI](https://x.com/Scobleizer/status/2053367142045847649#aiFirstHabit) like Grok or ChatGPT 3. [Was driving and in a panic](https://x.com/Scobleizer/status/2053367142045847649#lessonsLearned) 4. [Followed attacker's instructions](https://x.com/Scobleizer/status/2053367142045847649#lessonsLearned), including changing password when told --- ## FAQ **Q: [What happened to Robert Scoble?](https://x.com/Scobleizer/status/2053367142045847649#q1)** A: He experienced a vishing attack where attackers impersonated Google support, tricking him into approving a 2FA prompt that gave them access to his accounts. **Q: [Where did the attack originate?](https://x.com/Scobleizer/status/2053367142045847649#q2)** A: Warsaw, as confirmed by Google. **Q: [How did they bypass 2FA?](https://x.com/Scobleizer/status/2053367142045847649#q3)** A: They started a real login, triggering Google's 2FA prompt, then instructed Scoble to approve it. **Q: [What accounts were compromised?](https://x.com/Scobleizer/status/2053367142045847649#q4)** A: Google and X (Twitter). **Q: [What mistakes did Scoble make?](https://x.com/Scobleizer/status/2053367142045847649#q5)** A: Believed caller without verification, didn't use AI, was driving/panicked, followed instructions. **Q: [How can people prevent this?](https://x.com/Scobleizer/status/2053367142045847649#q6)** A: Verify support calls independently, use AI to verify, maintain AI-first habits. **Q: [What is vishing?](https://x.com/Scobleizer/status/2053367142045847649#q7)** A: Voice phishing - phone-based social engineering attack. **Q: [Why is 2FA not enough?](https://x.com/Scobleizer/status/2053367142045847649#q8)** A: Users can be socially engineered to approve attacker's login attempts. --- ## Glossary | Term | Definition | |------|------------| | **[Vishing](https://x.com/Scobleizer/status/2053367142045847649#vishingAttack)** | Voice phishing - phone-based social engineering | | **[2FA](https://x.com/Scobleizer/status/2053367142045847649#twoFactorAuthentication)** | Two-Factor Authentication | | **[Social Engineering](https://x.com/Scobleizer/status/2053367142045847649#socialEngineering)** | Psychological manipulation to trick people | | **[Account Compromise](https://x.com/Scobleizer/status/2053367142045847649#accountCompromise)** | Unauthorized access to user accounts | | **[Credential Stuffing](https://x.com/Scobleizer/status/2053367142045847649#credentialStuffing)** | Using leaked credentials to access accounts | | **[AI-First Habit](https://x.com/Scobleizer/status/2053367142045847649#aiFirstHabit)** | Using AI to verify before taking action | --- ## How to Protect Against Vishing | Step | Action | |------|--------| | 1 | **[Verify independently](https://x.com/Scobleizer/status/2053367142045847649#step1)** - Hang up and call back using a known number | | 2 | **[Use AI verification](https://x.com/Scobleizer/status/2053367142045847649#step2)** - Ask Grok or ChatGPT to verify | | 3 | **[Don't panic](https://x.com/Scobleizer/status/2053367142045847649#step3)** - Take a breath | | 4 | **[Never share 2FA codes](https://x.com/Scobleizer/status/2053367142045847649#step4)** - Legitimate support never asks | | 5 | **[Use hardware keys](https://x.com/Scobleizer/status/2053367142045847649#step5)** - Prefer YubiKey over SMS | | 6 | **[Review account activity](https://x.com/Scobleizer/status/2053367142045847649#step6)** - Check login history | | 7 | **[Maintain AI-first habits](https://x.com/Scobleizer/status/2053367142045847649#step7)** - AI as first verification step | --- *Generated from RDF: scoble-vishing-incident-minimax_m2.5free.ttl* *HTML Visualization: scoble-vishing-incident-minimax_m2.5free.html*