SEC's X account hacked in embarrassing security lapse
Propagated fake news about bitcoin
The US Securities and Exchange Commission suffered an embarrassing security lapse on Tuesday when its official X account was hacked.
The hacker posted a fake announcement that the SEC had approved Bitcoin exchange-traded funds (ETFs).
The SEC has been considering approving ETFs as an alternative way for investors to purchase bitcoin to crypto exchange such as Binance or Coinbase, with a decision expected to be imminent.
The faked message raised false hope among bitcoin holders, which saw the cryptocurrency's price spike briefly by around 2.5% before retreating again soon afterwards.
The message remained live on X (formerly Twitter) for 30 minutes, before SEC Chair Gary Gensler posted from his own account that the agency's account had been "compromised" and the post was "unauthorised."
X's safety team later said that the hack was made possible by the attacker having gained control of the phone number linked to the SEC account, not because of a breach of the social media platform's systems.
The incident raises serious questions about social media security, especially for official government accounts. Despite security requirements to use two-factor authentication, the SEC account apparently did not have this enabled, according to X's safety team, leaving it vulnerable to takeover.
"This has to be the most sophisticated use of a stolen Twitter account ever," said cybersecurity expert and former Meta security chief Alex Stamos, as reported by Bloomberg. "At a minimum, this indicates that the hollowed-out Twitter team can't keep up with advances in account takeover techniques."
The hack could potentially raise tensions between Elon Musk and the SEC. The two parties have a turbulent history, with the SEC recently opening an investigation into Musk's purchases of Twitter shares.
Global cybersecurity advisor at ESET, Jake Moore, commented: "This proves that accounts on Twitter continue to be targeted and if an official account is compromised then serious consequences can follow. Cryptocurrency scams remain the focal point and with social pressure on Twitter, they can still reap huge gains."
He added that "even more significance should be directed at training staff and account owners, especially when dealing with high profile accounts."
While hacking a prominent government agency's account represents a major coup for cryptocurrency scammers, they are not the only ones in their sights. Last week, a prominent security company, Google-owned Mandiant, had its X account taken over for 6 hours to promote a crypto scam.
These embarrassing incidents highlight the need for better security practices by government agencies and businesses on social media, as well as the risks of relying on X as an authoritative news source, particularly since Musk's take-over.