Washington January 10 2024: The US Securities and Exchange Commission said its account on social network X was “compromised,” leading to a spike in the price of Bitcoin and raising fresh questions about X’s reliability as a source of information and the strength of its security practices.
The incident, one of the most consequential breaches in years on the platform formerly known as Twitter, began with a post on the SEC’s official verified account, which inaccurately shared that the regulator had approved spot-Bitcoin exchange-traded funds — a decision that had been anticipated for later this week. The price of Bitcoin quickly shot up more than 2.5% as news of the post spread online and via media outlets, including Bloomberg News, that were watching the SEC’s feed for such an announcement.
Within minutes, SEC Chair Gary Gensler jumped in from his own X account to clarify that the SEC’s post was inaccurate, even while the message remained up on X for roughly 30 minutes. “The @SECGov twitter account was compromised, and an unauthorized tweet was posted,” Gensler wrote on X. Bitcoin’s price tumbled.
A SEC spokesperson confirmed that there was “unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time.”
“The account is secure and we are investigating the root cause,” said Joe Benarroch, head of business operations at X, in a statement.
Still, the high-profile breach comes at a time when X and billionaire owner Elon Musk are seeking to win back trust from both users and advertisers, many of which have been dismayed by Musk’s free-for-all style of leadership since his 2022 takeover. Musk has pivoted away from some of the prior regime’s efforts to rein in offensive or harmful content, and has severely scaled back staff to save on costs. Those cuts have led to regular bugs and outages.
“This has to be the most sophisticated use of a stolen Twitter account ever,” said Alex Stamos, chief trust officer at SentinelOne and former security chief at Meta Platforms Inc. “At a minimum, this indicates that the hollowed-out X team can’t keep up with advances in account takeover techniques.”
The social media service confirmed that “an unidentified individual” compromised the SEC’s account by acquiring an associated phone number. It added that the regulator hadn’t activated two-factor authentication — an extra layer of security that’s become increasingly common with the rapid rise of cyberattacks around the world. SEC representatives didn’t immediately respond to an email seeking comment after regular hours.
Social media accounts used by the US government are required to enable multi-factor authentication — which verifies a user’s identity before logging them in — said Allan Liska, an intelligence analyst at Recorded Future. But he said this doesn’t eliminate the risk of a threat. “There are ways around it, such as authentication token cookie theft, that an attacker could use.”
X also has a long history when it comes to hacks, predating Musk’s acquisition. Before the ownership change, the social network instituted some extra internal protections for high-profile accounts, including heads of state, after a rogue employee briefly deactivated President Donald Trump’s account in 2017.
Still, the network was far from locked down. The Twitter account of former Chief Executive Officer Jack Dorsey was compromised in 2019, and the hackers tweeted out racial slurs. In 2020, a Florida teenager gained control of several prominent accounts on the service, including Joe Biden’s and Barack Obama’s, to promote a Bitcoin scam. In early 2023, hackers posted a database of information, including email addresses, from hundreds of Twitter accounts.
Earlier this week, a politician in the UK claimed that his account was also hacked to promote a crypto scam.
After Twitter’s former head of security, Peiter “Mudge” Zatko, left the company in early 2022, he filed a formal whistleblower complaint with US regulators that alleged shoddy privacy and security practices.
Some on Tuesday were quick to point out the irony of the SEC’s inaccurate post — internet security has been a priority of the commission in its regulation of public companies. In July, it adopted a set of rules requiring firms to say how they identify and manage cybersecurity risks, and laid out a process for reporting incidents. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” Gensler was quoted as saying in the release.
Regardless of who is to blame for Tuesday’s breach, the incident could create further tension between the SEC and Musk. The billionaire and the Wall Street regulator have a long, combative history, including most recently when the SEC opened an investigation into Musk’s Twitter share purchases before he acquired the company in 2022. The SEC said Musk failed to testify in the investigation and asked a judge to force him to do so.
Musk made light of the latest situation, responding to another X user who had jokingly asked, “What was the SEC’s password? Wrong answers only.”