The U.S. Securities and Exchange Commission (SEC) had its account on X (formerly Twitter) hacked Tuesday afternoon due to a linked phone number coming under the hacker’s control — most likely due to SIM swapping. Additionally, the incident revealed that the government agency did not have two-factor authentication (2FA) activated on its account, according to X’s preliminary investigation.
SEC X/Twitter hack: What happened?
The SEC X/Twitter hack disrupted the cryptocurrency market when the hijacked account published a post falsely announcing that the SEC approved Bitcoin ETFs. The price of Bitcoin jumped from just below $46,800 to a 19-month high of about $47,900 in the minutes after the post, then plummeted nearly 6% to $45,100 after SEC Chair Gary Gensler called out the hijacking on his own X page, according to CoinDesk.
“This tweet looked professional, with the right language and graphical design to be a plausible SEC announcement, and it had enough of an impact on the price of BTC to create a real opportunity for a well-funded actor to make a profit,” noted Alex Stamos, Chief Trust Officer at SentinelOne, in an email to SC Media.
The agency regained control of its X account within about 30 minutes and promptly deleted the rogue tweets. X also confirmed the account hijacking in a post on its safety page, which provided more details from its preliminary investigation into the hack.
“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” the post read. “We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”
Backlash and ridicule quickly followed, with some poking fun at a poorly aged X post by Gensler made during Cybersecurity Awareness Month that urged users to “set up multifactor authentication” on their financial accounts.
Meanwhile, cybersecurity experts highlighted how the incident both reinforces the importance of two-factor authentication (2FA) and multi-factor authentication (MFA), and how these measures can prevent SIM swapping attacks.
“In a secure world, if the SEC had deployed 2FA utilizing an authenticator application, such as Google or Microsoft, instead of receiving the ephemeral code via text message, it is likely that even a successful SIM swap would not be sufficient to take over the account,” Austin Berglas, global head of professional services at BlueVoyant, told SC Media.
How to prevent SIM swapping, account takeover
SIM swapping involves an attacker gaining control over a victim’s phone number by convincing the victim’s phone provider to port the number to the attacker’s SIM card. The attacker can then leverage this phone number to access online accounts that are linked to the number by requesting a password reset by phone or text.
Hackers can usually get phone providers to perform a SIM swap by providing enough personal information about the victim to impersonate them and claim they lost or damaged their original phone.
“This implies that mobile carriers need to do much better as this is happening frequently enough that it is clearly a concern,” noted Ira Winkler, CISO at CYE, in response to the SEC account breach.
One of the major dangers of SIM swapping is that it can bypass 2FA methods that use SMS or phone calls as a second factor. X cited this as a reason for disabling text message 2FA for non-Premium users beginning on March 20, 2023, while still providing the option of app- or security key-based 2FA for free users.
“Traditional 2FA methods such as SMS are weaker than other methods like an authenticator app or hardware key,” noted Darren Guccione, CEO and co-founder of Keeper Security, in an email to SC Media. “In fact, the National Institute of Standards and Technology (NIST) removed the use of SMS authentication from its recommended authentication methods list due to the potential vulnerabilities.”
However, Guccione added: “Some form of MFA is better than going without.”
Several cybersecurity experts who provided their opinions to SC Media agreed that the SEC’s failure to use 2FA was a major concern and made the agency an easy target for hijackers.
“The main lesson is that hackers will test the ‘lowest hanging fruit’ in their efforts. Not having MFA turned on should, at this point, be considered as basic,” said Bud Broomhead, CEO at Viakoo.
Berglas, of BlueVoyant, added, “most cyber criminals will see 2FA implemented and just move on to another target to compromise that does not utilize 2FA.”
Organizations can also protect themselves from SIM swapping by not linking their phone number to any important accounts, SocialProof Security CEO Rachel Tobac noted in her “Account Takeover Prevention Guide” following the SEC attack. On X, where users are required to link their phone number in order to become “verified,” Tobac recommended removing one’s phone number once the verification is complete, and provided instructions on how to do so.
“We ultimately don’t have control over the phone companies that should be protecting our data and identity tied to our phone number,” Tobac wrote. “They have to provide support quickly and haven’t nailed identity verification yet to prevent SIM Swapping.”
Senators challenge SEC to disclose breach details within 4 days
U.S. Congress members also took notice SEC X/Twitter hacking incident, with Sens. JD Vance and Thom Tillis publishing a letter to Gensler Tuesday night demanding an explanation from the SEC about the breach.
“It is unacceptable that the agency entrusted with regulating the epicenter of the world’s capital markets would make such a colossal error,” Vance stated.
The letter asked about the SEC’s plans to investigate the breach and to rectify financial losses caused by the false announcement’s impact on investing decisions. The senators requested a briefing on the incident “as soon as possible,” and no later than Jan. 23, but also questioned whether the agency would be prepared to provide Congress with a detailed report within four business days, referencing the SEC’s own new rules on cybersecurity breach disclosure.
In a statement Wednesday afternoon, the SEC cleared up speculation that the post about Bitcoin ETF approval was a draft already created by the SEC, denying that this was the case and saying, “The SEC continues to investigate the matter and is coordinating with appropriate law enforcement entities, including the SEC’s Office of the Inspector General and the FBI.”
The commission added that its ruling on Bitcoin ETFs, still expected to come sometime on Wednesday, would be posted first on the SEC website and then published in the Federal Register — not announced on social media.
X sees ongoing trend of account hijackings promoting cryptocurrency scams
The SEC is the latest in a series of high-profile X account hijackings performed by cryptocurrency scammers within the first two weeks of 2024.
On Jan. 3, Mandiant — a Google-owned cybersecurity firm — had its X account taken over for several hours by a threat actor conducting a cryptocurrency drainer campaign.
Mandiant said Wednesday that the compromise was due to a “brute force password attack,” and that while the company had 2FA activated, “some team transitions and a change in X’s 2FA policy” resulted in the security lapse.
These incidents echo the major 2020 Twitter hijacking incident that claimed more than 100 high-profile accounts, including those belonging to Apple, Bill Gates, Joe Biden and Elon Musk. In that case, the breach resulted from spear phishing of Twitter employees.
Berglas told SC Media that in today’s age of social media, the stakes are too high for sites like X to not require 2FA use.
“There is no reason why a social media platform such as X — where compromised accounts can sew seeds of doubt and spread global disinformation within seconds — should not enforce this as a mandatory security feature as well,” Berglas said. “There is no doubt that a compromise of an account belonging to an organization as prominent as the SEC will impact the trust in online, public messaging going forward.”