The United States Securities and Exchange Commission’s official X account hacked on Tuesday has raised concerns about the social media platform’s security since its takeover by billionaire Elon Musk in 2022.
U.S Securities and Exchange Commission verified X’s account was compromised on Tuesday, with a post published that the regulator approved a bitcoin exchange-traded fund.
According to Reuters, the hackers posted false news about a widely anticipated announcement the SEC was expected to make about bitcoin, leading the cryptocurrency’s price to spike and alarming observers.
The false post on @SECGov, revealed that the securities regulator had approved exchange-traded funds to hold bitcoin.
Meanwhile, the SEC deleted the post about 30 minutes after it appeared.
X confirmed later on Tuesday, following a preliminary investigation, that the SEC’s account was compromised because an unidentified individual gained control over a phone number associated with the account through a third party.
The social media platform equally noted in a post that the SEC did not have two-factor authentication enabled at the time the account was compromised.
While X said the compromise was not because of a breach of the platform’s systems, security analysts called the incident disquieting.
Reacting to this incident, a former cybersecurity official at the FBI’s New York office and a senior executive at the security firm BlueVoyant, Austin Berglas said, “Something like that, where you can take over the SEC account and potentially affect the value of bitcoin in the market – there’s massive opportunity for disinformation.”
Accounts on X, formerly known as Twitter, can be hijacked by stealing passwords or tricking targets into giving up their login credentials, just like on any other social media platform. Accounts can also be taken over by breaching X’s security, as happened in 2020, when a teenager orchestrated a break-in of Twitter’s internal computer network and took control of dozens of high-profile accounts, including those of former President Barack Obama and Musk, well before he bought Twitter.
An SEC spokesperson on Tuesday said the “unauthorized access” of its account by an “unknown party” had been revoked and the agency was working with law enforcement and others in the government to prove the matter.
Indeed, even before it was procured by Musk and changed its name to X, nonetheless, Twitter was the subject of relentless security issues.
The 2019 capture of a Saudi specialist who had furtively searched the site’s backend for individual data about the realm’s protesters raised worries about Twitter’s inside shields.
The mass hijacking of top accounts the following year by the Florida teen uplifted the worries, with New York state’s Division of Monetary Administrations chastening the firm for succumbing to a “straightforward” hack. In 2022 Twitter’s previous security boss Peiter Zatko freely turned on the organization, before it was procured by Musk, blaming it for a reiteration of safety shortfalls that he said risked public safety.
Musk has touted the company’s security since buying Twitter in October 2022, but former staff say it has deteriorated since then. Musk ordered a 50% cut in X’s physical security budget after buying the social media platform, and wanted to scrap programs targeting at helping it find and fix digital vulnerabilities, according to a lawsuit filed last month by Alan Rosa, former IT security chief at X. Rosa alleges he was fired when he objected to the measures.
A former Twitter executive, who craved anonymity noted that the protection of prominent accounts such as those of government officials was a major priority there prior to Musk’s acquisition, and included alerts for suspected hacks with rapid response measures, but staffers who worked on that effort were part of an “election integrity” team that suffered layoffs last year.
Early last year, X restricted the capacity of non-paying clients to execute two-factor verification, a key safety effort. X’s site says the firm “proactively” safeguards and gets the records of government authorities and political up-and-comers that “may be particularly vulnerable during certain civic processes.”
Without such security in place, hackers could have taken over the account through various methods including using an old leaked password or gaining access to a phone number linked to the account through a technique known as SIM swapping, said Berglas.
“Anytime you’re reducing a security function in a platform that does what X does, it is incredibly concerning,” he added.