SEC account hack amplifies concerns over security at Elon Musk’s X

The high-profile breach comes at a time when X and its owner Elon Musk are seeking to win back trust from both users and advertisers. PHOTO: AFP
Updated
Jan 10, 2024, 02:24 PM
Published
Jan 10, 2024, 01:35 PM

SAN FRANCISCO - The US Securities and Exchange Commission (SEC) said its account on social network X was “compromised”, leading to a spike in the price of Bitcoin and raising fresh questions about X’s reliability as a source of information and the strength of its security practices.

The incident, one of the most consequential breaches in years on the platform formerly known as Twitter, began with a post on the SEC’s official verified account, which inaccurately shared that the regulator had approved spot-Bitcoin exchange-traded funds (ETFs) – a decision that had been anticipated for later this week. The price of Bitcoin quickly shot up more than 2.5 per cent as news of the post spread online and via media outlets, that were watching the SEC’s feed for such an announcement.

Within minutes, SEC chair Gary Gensler jumped in from his own X account to clarify that the SEC’s post was inaccurate, even while the message remained up on X for roughly 30 minutes. “The @SECGov Twitter account was compromised, and an unauthorised tweet was posted,” Mr Gensler wrote on X. Bitcoin’s price tumbled.

Mr Joe Benarroch, head of business operations at X, said in a statement: “The account is secure, and we are investigating the root cause.”

Still, the high-profile breach comes at a time when X and billionaire owner Elon Musk are seeking to win back trust from both users and advertisers, many of which have been dismayed by Mr Musk’s free-for-all style of leadership since his 2022 takeover. Mr Musk has pivoted away from some of the prior regime’s efforts to rein in offensive or harmful content, and has severely scaled back staff to save on costs. Those cuts have led to regular bugs and outages.

Mr Alex Stamos, chief trust officer at SentinelOne and former security chief at Meta Platforms, said: “This has to be the most sophisticated use of a stolen Twitter account ever. At a minimum, this indicates that the hollowed-out X team can’t keep up with advances in account takeover techniques.”

The social media service confirmed that “an unidentified individual” compromised the SEC’s account by acquiring an associated phone number. It added that the regulator had not activated two-factor authentication – an extra layer of security that has become increasingly common with the rapid rise of cyber attacks around the world.

Social media accounts used by the US government are required to enable multifactor authentication – which verifies a user’s identity before logging them in – said Mr Allan Liska, an intelligence analyst at Recorded Future. But he said this does not eliminate the risk of a threat. “There are ways around it, such as authentication token cookie theft, that an attacker could use.”

X also has a long history when it comes to hacks, predating Mr Musk’s acquisition. Before the ownership change, the social network instituted some extra internal protections for high-profile accounts, including heads of state, after a rogue employee briefly deactivated then US president Donald Trump’s account in 2017.

Still, the network was far from locked down. The Twitter account of former chief executive officer Jack Dorsey was compromised in 2019, and the hackers tweeted out racial slurs. In 2020, a Florida teenager gained control of several prominent accounts on the service, including Mr Joe Biden’s and Mr Barack Obama’s, to promote a Bitcoin scam. In early 2023, hackers posted a database of information, including e-mail addresses, from hundreds of Twitter accounts.

After Twitter’s former head of security, Mr Peiter “Mudge” Zatko, left the company in early 2022, he filed a formal whistleblower complaint with US regulators that alleged shoddy privacy and security practices.

Some were quick to point out the irony of the SEC’s inaccurate post – Internet security has been a priority of the commission in its regulation of public companies. In July, it adopted a set of rules requiring firms to say how they identify and manage cyber-security risks, and laid out a process for reporting incidents. “Whether a company loses a factory in a fire – or millions of files in a cyber-security incident – it may be material to investors,” Mr Gensler was quoted as saying in the release.

Regardless of who is to blame for the Jan 9 breach, the incident could create further tension between the SEC and Mr Musk. The billionaire and the Wall Street regulator have a long, combative history, including most recently when the SEC opened an investigation into Mr Musk’s Twitter share purchases before he acquired the company in 2022. The SEC said Mr Musk failed to testify in the investigation and asked a judge to force him to do so.

Mr Musk made light of the latest situation, responding to another X user who had jokingly asked: “What was the SEC’s password? Wrong answers only.” BLOOMBERG

More On This Topic
Bitcoin sees brief frenzy after hacker falsely claims on SEC’s X account that ETFs won approval
Crypto exchange HTX hit by $346 million outflow in wake of hack

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top