The mechanism isn't relevant because the admin tool has a reset function. It is needed of course, because people loose their phones, keys and whatnot. No security mechanism is safe against an administrative reset for services like Twatter.
SMS is seen as less safe because the transport layer is not encrypted. But there isn't much difference in the practical security of the average user.
> SMS is seen as less safe because the transport layer is not encrypted.
Lack of encryption is only part of the problem. Lack of proper authentication is more important. Mobile networks are vulnerable to SS7 redirects, SIM-Jacking and plain old social engineering.
The 2FA reset function is also a part of doing 2FA properly. Your reset needs to be at least as secure as the regular 2FA flow. Meaning that "just phoning support" isn't an option. Yes, resets will be cumbersome and might involve stuff like physical presence, showing a government ID and maybe being vouched for by a third party. Most companies fail badly at this.
That and many users wouldn't do that for online accounts. Blue checkmarks are the exception while ignoring conventional internet wisdom... which came at a steep price.
Edit to the topic: As I said, the transport layer of SMS isn't safe, but I don't think it has practical merit. How often were SMS redirected or spied upon? In high profile cases? Even that would be difficult to determine, but the occurrence is probably very low.
And for a twitter account? Seriously? Depends on the account but assessment of threats is the first step of an honest security review. My reddit pwd has been 'reddit' for years. That wouldn't fly if I were Madonna and if I had any attachment to it.
It's way harder to get a device stolen, and impossible to have a trojan installed, even simple apps can read sms. If the device has a 5-6 digit pin on top being stolen, it would require the pin.
I’m guessing someone re-used a hacked password and SMS 2FA is to blame. Maybe it’s not even that sophisticated.