After hack, X claims SEC failed to use two-factor authentication
The social media platform X accused the Securities and Exchange Commission of failing to implement strong security features after the agency’s account on the platform was hijacked and used to falsely claim that the regulatory body had approved the trading of exchange traded funds holding bitcoin.
In a statement late Tuesday, the social media network formerly known as Twitter said that “the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.” The statement added that the SEC had failed to enable two-factor authentication for its account on X.
On Tuesday, the SEC’s official account on X posted that the agency had approved the trading of bitcoin ETFs, which briefly caused the price of bitcoin to jump before SEC Chair Gary Gensler said that the statement was false and was the result of the agency’s account being compromised. Bitcoin investors and speculators have been eagerly awaiting the SEC’s decision on whether to approve bitcoin ETFs, and on Wednesday, 24 hours after a hack resulted in a false statement about approval, the agency did in fact greenlight bitcoin ETFs.
In a statement on Wednesday about the hack, a spokesperson for the SEC said that the agency “continues to investigate the matter and is coordinating with appropriate law enforcement entities, including the SEC’s Office of the Inspector General and the FBI.”
While the details of how Tuesday’s attacker managed to gain control of the SEC account, the statement from X suggests that the attack may have been carried out via sim-swapping, which involves gaining control of a cellular phone number by convincing a mobile carrier to transfer a number to a sim card controlled by the attacker.
Once the attacker controls the victim’s phone number, they can use that phone number to reset the password of accounts belonging to the victim. If the victim uses the same number as their two-factor authentication, the attacker will be able to intercept two-factor codes as well.
Sim-swapping attacks are a prolific source of account takeovers, and Tuesday’s attack on the SEC’s Twitter account was only novel insofar as it affected a government account and caused a sharp swing in financial markets.
In the aftermath of Elon Musk’s acquisition of Twitter, former employees have raised concerns that widespread layoffs and employee departures has undermined security on the platform. Security researchers and telecommunication firms have urged the company for years to adopt best practices with regards to preventing sim-swapping attacks, but these warnings have fallen on deaf ears.
“There have been security contacts at telcos trying to reach out to Twitter but everyone we (and the community) knows that worked on their security team and was responsive has quit,” Allison Nixon, the chief research officer at the cybersecurity firm Unit 221B, said in an online chat, referring to the information security community.
If the SEC had failed to enable two-factor authentication — as the statement from X claimed — the agency would be in violation of federal government guidance. A December 2021 advisory from the Cybersecurity and Infrastructure Security Agency urges federal agencies to enforce multi-factor authentication for their social media accounts, among other actions.
The SEC did not respond to a query from CyberScoop about whether X’s description of the agency’s security practices was accurate. CISA referred questions about the incident to the SEC.
CyberScoop reporter AJ Vicens and FedScoop reporter Rebecca Heilweil contributed to this article.
