This has been the week of Twitter hacks, from Mark Zuckerberg to a trove of millions of passwords dumped online to, most recently, Black Lives Matter activist DeRay McKesson.

In Zuckerberg’s case, it seems he was guilty of using a terrible password across multiple accounts, specifically a kind of adorable but way too simple one: dadada. That’s according to the Wall Street Journal, who spoke to “a person familiar with the matter.” But Black Lives Matter activist Deray McKesson did not make that common mistake. In fact, he seemed to take every precaution, setting up two-factor authentication—as we have advocated many times—so that anyone attempting to get into his Twitter account would have to have not only his password but a second code texted to his cell phone.

Well, the hackers got his cell phone, too.

It’s surprisingly simple for hackers to gain access to your entire mobile account. Just this week, the Federal Trade Commission’s top technologist Lorrie Cranor recounted to WIRED how hackers were able to hijack her account to buy new phones under her name, deactiving her family’s phones and sending her scrambling to lock everything down. As McKesson explained on Twitter today after he regained control of his account, that’s exactly what seemed to have happened to him, too.

Once the hackers had the keys to McKesson’s cellular account, they were able to reroute his text messages to a different SIM card, get his two-factor code, and voila, they were in his Twitter, and even his email accounts.

The most important takeaway from all this is that one method of protection against hackers isn’t enough. And in fact, two isn’t either. As our digital lives grow ever more connected, your security is only as strong as your weakest way in. You have to protect yourself everywhere. Right now, the best way to safeguard against the kind of account hijacking McKesson and Cranor experienced is to set up a secondary code on your mobile account. Every mobile carrier offers you the option of setting up a customer service pin that must be provided before changes of any kind can be made to your account. Set that up. That way, even if the hackers have an easy-to-find bit of personal info that could enable access—the last four digits of your social security number, for example, as in McKesson’s case—there’s another level of protection between them and the whole world that your mobile account opens up.