X blames SEC account hack on lack of two-factor authentication

10 Jan 2024

Image: © Kristina Blokhin/Stock.adobe.com

X said that the SEC’s account was compromised because an ‘unidentified individual’ obtained control over a phone number through a third party.

The US Securities and Exchange Commission (SEC) fell victim to a hack on social media platform X after its account was breached and a post was made that inaccurately claimed the US agency had approved the trading of a certain bitcoin product.

In a post on X yesterday (9 January), chair Gary Gensler said that the agency’s account was “compromised” and that an “unauthorised” post was made. “The SEC has not approved the listing and trading of spot bitcoin exchange-traded products,” he wrote.

The platform formerly known as Twitter promptly investigated the hack and concluded that the compromise was “not due to any breach” of its systems but because an “unidentified individual” obtained control over a phone number associated with the account through a third party.

“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised. We encourage all users to enable this extra layer of security,” X posted.

Bitcoin prices surged in the aftermath of the hack and the misleading post claiming Bitcoin ETFs had been approved, according to CNBC, but fell soon after the SEC clarification was published.

Crypto investors weren’t the only one who were disappointed, however. US senator Bill Hagerty, who is the former ambassador to Japan, called the compromise “unacceptable”.

“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened,” he said.

Jake Moore, global cybersecurity adviser at ESET, said that the latest SEC hack proves that accounts on X continue to be targeted and if an official account is compromised then “serious consequences” can follow.

“Cryptocurrency scams remain the focal point and with social pressure on X, they can still reap huge gains. Legitimate third-party access, compromise or targeted social engineering are still the most common ways to obtain access to an account which leaves the security onus very much on individuals,” he said.

“Therefore, even more significance should be directed at training staff and account owners especially when dealing with high-profile accounts.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic