Yes, we added 2FA. Here's why.

The texting industry is seeing an increase in account breaches where attackers gain access to accounts and send unauthorized messages. Attackers look for weak points such as shared usernames and passwords. When they gain access, they can pose as your organization, damage your reputation, and trigger carrier restrictions. We have seen attempted breaches against our customers, which is why we made the decision to strengthen login security for everyone on our platform.

Two-factor authentication (2FA) is now required for every user. This means that when someone logs in, they will have to enter their password and then may also have a verification code sent to the account email. This step greatly reduces the risk of unauthorized access, even if a password is leaked or shared without full awareness.

Most of the risk we observed came from organizations where multiple people share a single login. This creates a single point of failure. When one password is used by many people, it is easier for attackers to find, reuse across platforms, or intercept. It also forces your staff to depend on one person’s inbox to complete logins, which slows down your workflow and increases the chance of error.

The better setup is simple. Each person who uses the account should have their own login. Additional Text-Em-All users are free and take less than a minute to set up. Each user logs in with their own credentials, gets their own 2FA code, and can operate independently without requiring access to someone else’s email.

If you manage several staff or volunteers, take a moment now to confirm that everyone who needs access has their own login and their email address is current and accessible. You can update any login’s email address in your account settings at any time.

Our goal is to protect your account, your contacts, and your ability to send messages without interruption. Strengthening login security is a necessary step to stay ahead of the attacks happening in the industry. If you need help with user setup or adjusting your account, our support team is here to assist.

Recent examples from the news

• On November 12, 2025, Google filed a lawsuit in the U.S. District Court for the Southern District of New York against a group of 25 anonymous individuals allegedly behind a large-scale “smishing” (SMS phishing) campaign. The group is accused of using a software kit named “Lighthouse” to send scam texts impersonating brands like the U.S. Postal Service and toll-collection services, targeting over 1 million people in more than 120 countries and potentially stealing between 12.7 million and 115 million U.S. credit or banking card details. Reuters

• The Federal Bureau of Investigation (FBI) issued a public warning about a rise in “smishing” attacks via text messages that claim the recipient has an unpaid toll or must pay a fee, urging them to click a link. These messages often impersonate government agencies or trusted services. People

• A study of how SMS spoofing works shows attackers are able to change the sender ID of a text message so it appears to come from a legitimate source, which strengthens the case that shared logins and weak authentication make organizations vulnerable to having attacker messages sent from their account or infrastructure. CyberGuy

These examples underscore that the risk is not limited to email or social media. Text messages are a major attack vector, especially for organizations that send mass messaging, because the sender’s identity can be forged, and the breach can cause serious downstream damage — to trust, carrier standing, and regulatory compliance.

2FA FAQs

Why do we care about SMS/text-message scams (smishing) when we are using a messaging platform?

Because your account and its credentials (including login and authentication) can become tied to texts that appear legitimate but are not. If attackers gain access, they can use your platform to send unauthorized messages, impersonate your organization, and that can lead to regulatory, carrier or reputational issues. Recent lawsuits and FBI warnings confirm this is active and growing.

How does sharing one login make us more vulnerable to text-message scams?

If multiple people use one login, the password may live in several inboxes, devices or browser histories. Attackers target that kind of weak access. With shared credentials and weak or missing 2FA, an attacker may gain control and send texts that look like your organization, or access contacts to send unsolicited messages.

Isn’t 2FA just extra friction?

Yes there is a small amount of friction. But the cost of a breach is far greater: unauthorized sending, having your account suspended by carriers, loss of trust, regulatory exposure. The recent smishing campaigns prove that breach risk is real.

Does 2FA protect us from smishing attacks entirely?

No system is perfect, but requiring 2FA and having separate user accounts greatly reduce the risk of credential-based intrusion. Attackers now rely on stolen credentials and shared access. Protecting logins is a core defense.

What should we do for our staff access?

Create individual user logins, apply 2FA, make sure each user’s email is valid, accessible and monitored. Limit sharing of primary admin credentials. Review who can send messages and access contacts.

What if someone in our team loses the email or device used for 2FA?

Build a backup plan: an admin account that can reset access, documented procedures for recovery. Make sure users know what to do if they change email or phone.

What happens if an attacker sends unauthorized messages from our account anyway?

Act immediately: disable compromised user login, rotate passwords, run a contacts audit to check if message lists were exported or misused, review your carrier compliance status. That’s why pre-emptive protection matters.