As detailed in a series of tweets, this morning someone called Verizon posing as Mckesson and apparently armed with the last four digits of his social security number. This person changed the registered SIM on his account to one they controlled, redirecting and SMS to their phone instead of his. After that, they just triggered a password reset on Twitter and waited for the authorization code to come in.
While @Deray was able to recover his account with Twitter's help (it's good to be friends with @Jack), for the normal user it might not be as easy. Unfortunately, even with extra security in place like this, social engineering of various types can still put your information at risk. Hackers used a similar message to take control of developer Grant Blakeman's Instagram page in 2014, and accessed a Gmail account for the CEO of Cloudflare in 2012 by redirecting his AT&T voicemail. Wired writer Mat Honan had his accounts and devices taken over when a hacker convinced Amazon to give up the last four digits of his credit card number, then used that information to get a new password for his Apple iCloud account.
So what else can you do to protect yourself? Unfortunately, many services still use SMS or phone calls to perform the second bit of authentication (using a one-time password powered by apps like Google's Authenticator removes your phone number from the equation), and when it comes to telephone and cable providers they largely don't support two-factor at all. Instead, they by default will verify account info over the phone using the SSN, as seen in this case, which is all too easily found by hackers.
Buzzfeed points out a recommendation recently published by the FCC's CTO: The major mobile carriers will allow you to set your own password that's required for account access. Sprint requires a PIN at account setup, Verizon can set up a four-digit billing password, T-Mobile will set up a customer care password if you ask, and AT&T lets you set one up via its app. Your internet service provider probably has a similar option, but you may have to request it there also.