X: SEC account hack renews security concerns

The recent hack of the U.S. Securities and Exchange Commission’s (SEC) official account on X has raised concerns about the security of the platform, particularly following Elon Musk’s takeover in 2022.

On Tuesday, hackers falsely claimed on @SECGov that the SEC approved bitcoin ETFs, causing a spike in the cryptocurrency’s price. The post was deleted about 30 minutes later, causing concern among observers.

The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.

— U.S. Securities and Exchange Commission (@SECGov) January 9, 2024

Later on Tuesday, X confirmed, after a preliminary investigation, that the SEC’s account was compromised. This occurred when an unidentified individual gained control over a phone number associated with the account through a third party.

The social media platform also said in a post that the SEC did not have two-factor authentication enabled at the time the account was compromised.

While X said the compromise was not because of a breach of the platform’s systems, security analysts called the incident disquieting.

“Something like that, where you can take over the SEC account and potentially affect the value of bitcoin in the market – there’s massive opportunity for disinformation,” said Austin Berglas, a former cybersecurity official at the FBI’s New York office and a senior executive at the security firm BlueVoyant.

Accounts on X, previously known as Twitter, are susceptible to hijacking through various means, including password theft or manipulating users into divulging their login credentials. This vulnerability is akin to the risks observed on other social media platforms.

Accounts can also be taken over by breaching X’s security, as happened in 2020, when a teenager masterminded a break-in of Twitter’s internal computer network and seized control of dozens of high-profile accounts, including those of former President Barack Obama and Musk, well before he bought Twitter.

Also Read: Musk Backs Republicans on Eve of U.S. Midterms

An SEC spokesperson on Tuesday said the “unauthorized access” of its account by an “unknown party” had been revoked and the agency was working with law enforcement and others in the government to investigate the matter.

Security problems

Even before it was acquired by Musk and changed its name to X, however, Twitter was the subject of persistent security problems.

The 2019 arrest of a Saudi agent who had secretly combed the site’s backend for personal information about the kingdom’s dissidents raised concerns about Twitter’s internal safeguards.

The subsequent mass hijacking by a Florida teen the following year escalated concerns. The New York state’s Department of Financial Services criticized the firm for a “simple” hack. In 2022, Peiter Zatko, Twitter’s former security chief, publicly accused the company of numerous security failings jeopardizing national security before its acquisition by Musk.

Former staff members of Twitter claim that security measures have worsened since Elon Musk bought the company in October 2022. Musk allegedly ordered a 50% cut in physical security budget and wanted to eliminate programs aimed at finding and fixing digital vulnerabilities. A lawsuit filed by former IT security chief, Alan Rosa, claims that he was fired for objecting to these measures.

A former unnamed Twitter executive revealed that safeguarding high-profile accounts, including government officials’, was a priority before Musk’s acquisition. This effort involved alerts for suspected hacks and swift response measures. Unfortunately, the team responsible, which was also dedicated to election integrity, faced layoffs last year.

Last year, X restricted non-paying users from using two-factor authentication, a crucial security measure. The company claims to proactively secure accounts of government officials and political candidates, especially during sensitive civic processes.

Berglars stated that in the absence of robust security protocols, hackers can take over an account using a variety of techniques, such as utilizing previously compromised passwords or employing the SIM swapping method to gain control of a linked phone number.