Jan 9, 2024

SEC’s ‘Compromised’ Account Amplifies X Trust, Security Concerns

Kurt Wagner, Bloomberg News

The new Twitter X logo at the company's headquarters in San Francisco, California, US, on Saturday, July 29, 2023. Elon Musk has changed Twitter Inc.'s logo, replacing its signature blue bird with a stylized X as part of the billionaire's vision of transforming the 17-year-old service into an everything app. Photographer: David Paul Morris/Bloomberg , Bloomberg

(Bloomberg) -- The US Securities and Exchange Commission said its account on social network X was “compromised,” leading to a spike in the price of Bitcoin and raising fresh questions about X’s reliability as a source of information and the security options for its users.

The incident, one of the most consequential breaches in years on the platform formerly known as Twitter, began with a post on the SEC’s official verified account, which inaccurately shared that the regulator had approved spot-Bitcoin exchange-traded funds — a decision that had been anticipated for later this week. The price of Bitcoin quickly shot up more than 2.5% as news of the post spread online and via media outlets, including Bloomberg News, that were watching the SEC’s feed for such an announcement.

Within minutes, SEC Chair Gary Gensler jumped in from his own X account to clarify that the SEC’s post was inaccurate, even while the message remained up on X for roughly 30 minutes. “The @SECGov twitter account was compromised, and an unauthorized tweet was posted,” Gensler wrote on X. Bitcoin’s price tumbled.

A SEC spokesperson confirmed that there was “unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time.”

The high-profile breach comes at a time when X and billionaire owner Elon Musk are seeking to win back trust from both users and advertisers, many of which have been dismayed by Musk’s free-for-all style of leadership since his 2022 takeover. Musk has pivoted away from some of the prior regime’s efforts to rein in offensive or harmful content, and has severely scaled back staff to save on costs. Those cuts have led to regular bugs and outages.

“This has to be the most sophisticated use of a stolen Twitter account ever,” said Alex Stamos, chief trust officer at SentinelOne and former security chief at Meta Platforms Inc. “At a minimum, this indicates that the hollowed-out X team can’t keep up with advances in account takeover techniques.”

Read More: SEC X Account Compromised to Falsely Say Bitcoin ETFs Approved

The social media service confirmed that “an unidentified individual” compromised the SEC’s account by acquiring an associated phone number. It added that the regulator hadn’t activated two-factor authentication — an extra layer of security that’s become increasingly common with the rapid rise of cyberattacks around the world. SEC representatives didn’t respond to an email seeking comment.

Joe Benarroch, head of business operations at X, later elaborated in a text exchange with Bloomberg and a post on X. “The bad actor was able to reset the password via” short message service, he wrote. “Once they had access to the account, the hacker added” two-factor authentication using what’s known as a time-based one-time password, essentially a single-use password that uses the current time to make it unique, as well as a backup code, Benarroch wrote.

“Then they posted on the account,” according to Benarroch. “And that’s when the SEC took notice and changed password via email.” That, he said, “stopped the hacker from accessing it again. Our team locked it down and started working with the SEC to restore access.”

“I don’t know the actual person,” he added in a text. “But this had nothing to do with a hack at X.”

Social media accounts used by the US government are required to enable multi-factor authentication — which verifies a user’s identity before logging them in — said Allan Liska, an intelligence analyst at Recorded Future. But he said this doesn’t eliminate the risk of a threat. “There are ways around it, such as authentication token cookie theft, that an attacker could use.”

In February 2023, X, then Twitter, made setting up two-factor authentication more difficult for users by eliminating the most common form of it — getting a text message with a verification code — unless users paid for the option. X’s decision to put it behind a paywall, a cost-savings move, led to criticism from security experts. The company still offered other ways to secure your account, such as using authenticator apps, but they required more work from users to set up.

X also has a long history when it comes to hacks, predating Musk’s acquisition. Before the ownership change, the social network instituted some extra internal protections for high-profile accounts, including heads of state, after a rogue employee briefly deactivated President Donald Trump’s account in 2017.

Still, the network was far from locked down. The Twitter account of former Chief Executive Officer Jack Dorsey was compromised in 2019, and the hackers tweeted out racial slurs. In 2020, a Florida teenager gained control of several prominent accounts on the service, including Joe Biden’s and Barack Obama’s, to promote a Bitcoin scam. In early 2023, hackers posted a database of information, including email addresses, from hundreds of Twitter accounts.

Earlier this week, a politician in the UK claimed that his account was also hacked to promote a crypto scam.

After Twitter’s former head of security, Peiter “Mudge” Zatko, left the company in early 2022, he filed a formal whistleblower complaint with US regulators that alleged shoddy privacy and security practices.

Some on Tuesday were quick to point out the irony of the SEC’s inaccurate post — internet security has been a priority of the commission in its regulation of public companies. In July, it adopted a set of rules requiring firms to say how they identify and manage cybersecurity risks, and laid out a process for reporting incidents. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” Gensler was quoted as saying in the release.

Regardless of who is to blame for Tuesday’s breach, the incident could create further tension between the SEC and Musk. The billionaire and the Wall Street regulator have a long, combative history, including most recently when the SEC opened an investigation into Musk’s Twitter share purchases before he acquired the company in 2022. The SEC said Musk failed to testify in the investigation and asked a judge to force him to do so.

Musk made light of the latest situation, responding to another X user who had jokingly asked, “What was the SEC’s password? Wrong answers only.”

“LFGDogeToTheMoon!!” Musk replied.

--With assistance from Margi Murphy, Chris Nagi, Jamie Tarabay and Allyson Versprille.

(Corrects spelling of name in ninth paragraph.)