With the recent attack on Twitter, a bubble has been burst regarding the protective security two-factor authentication (2FA) provides for privileged access and for any user access. While multifactor authentication is still a security best practice, there have been recent attack vectors that circumvent the mitigation controls it provides and prove once again that no security solution is 100% effective.
If you are not familiar with the incident, I will not bore you with the details available from professionals and Twitter support, but suffice it to say the attack was based on social engineering and credential theft that even bypassed 2FA. The attack was successful against a small number of users and allowed the threat actors to access a password reset tool, which gave them access to accounts even though they were considered "verified." This exposed multiple aspects of 130 high-profile accounts, of which 45 had bitcoin tweets associated with them.