TikTok account accessed by unknown device — no 2FA enabled, but email has 2FA. Could it be a code interception?

Hi everyone,

I recently discovered by chance that an unknown device logged into my TikTok account. I did not have two-factor authentication (2FA) enabled on TikTok itself, but my email account does have 2FA.

The strange part is that I don’t think the attacker used my email, since that would’ve required passing 2FA. It seems more like they got access through a login code sent by SMS — similar to what happened in the past with some Telegram account breaches where attackers intercepted codes.

Article by u/desktopecho

https://www.reddit.com/r/Telegram/comments/1d4cep3/attackers_can_create_telegram_accounts_using_your/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

The intruder didn’t change my password, didn’t remove my email or phone number. They just followed a few accounts, then I changed the password and deleted the account myself.

I’m confused why they didn’t take full control — maybe they couldn’t? Maybe they were testing access first?

Has anyone experienced something similar on TikTok? Could it be that login codes are getting intercepted somehow, even without full email access?

Comments

Magnet70about 1 year ago1

I know it’s unsettling, but you’re not alone, and you handled it well.

What you described does sound like a possible case of SMS code interception, especially since your email has 2FA and wasn’t touched. TikTok, unfortunately, doesn’t force proper 2FA by default, and if your login was based on a phone number + SMS code, that’s a vulnerable combo. This kind of thing has happened with Telegram too, and even some Meta accounts — it’s not always a full takeover attempt. Sometimes it’s just bad actors testing access or using compromised sessions to quietly push content or collect data.

The fact that they didn’t change your password or lock you out is actually a good sign. It likely means they didn’t have full control, or it was an automated attack that didn’t go further. Still, it’s a wake-up call.

My advice: – Enable TikTok 2FA using an authenticator app, not SMS. – If TikTok still has your phone number linked, remove it if possible. – Check if your number has been in any known breaches (haveibeenpwned.com is great for this). – And for peace of mind, make sure your mobile provider account has a PIN/passcode set up to protect against SIM swap attempts.

You clearly did the right thing by acting fast. Most people don’t notice until it’s too late, so you’re ahead of the curve. Hope you’re feeling more secure now