Continue reading this on our app for a better experience

Open in App
Floating Button
Home News Cryptocurrency

SEC's 'compromised' account amplifies X trust, security concerns

Bloomberg
Bloomberg • 5 min read
SEC's 'compromised' account amplifies X trust, security concerns
Photo: Bloomberg
Font Resizer
Share to Whatsapp
Share to Facebook
Share to LinkedIn
Scroll to top
Follow us on Facebook and join our Telegram channel for the latest updates.

The US Securities and Exchange Commission said its account on social network X was “compromised,” leading to a spike in the price of Bitcoin and raising fresh questions about X’s reliability as a source of information and the strength of its security practices.

The incident, one of the most consequential breaches in years on the platform formerly known as Twitter, began with a post on the SEC’s official verified account, which inaccurately shared that the regulator had approved spot-Bitcoin exchange-traded funds — a decision that had been anticipated for later this week. The price of Bitcoin quickly shot up more than 2.5% as news of the post spread online and via media outlets, including Bloomberg News, that were watching the SEC’s feed for such an announcement.

Within minutes, SEC Chair Gary Gensler jumped in from his own X account to clarify that the SEC’s post was inaccurate, even while the message remained up on X for roughly 30 minutes. “The @SECGov twitter account was compromised, and an unauthorized tweet was posted,” Gensler wrote on X. Bitcoin’s price tumbled.

A SEC spokesperson confirmed that there was “unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time.” It’s unclear whether the commission’s account was compromised via X’s systems, or by some kind of user error or lapse, such as a stolen password. 

“The account is secure and we are investigating the root cause,” said Joe Benarroch, head of business operations at X, in a statement.

Still, the high-profile breach comes at a time when X and billionaire owner Elon Musk are seeking to win back trust from both users and advertisers, many of which have been dismayed by Musk’s free-for-all style of leadership since his 2022 takeover. Musk has pivoted away from some of the prior regime’s efforts to rein in offensive or harmful content, and has severely scaled back staff to save on costs. Those cuts have led to regular bugs and outages.

See also: Digital Assets Association launches to connect tradfi and tokenised real world assets

“This has to be the most sophisticated use of a stolen Twitter account ever,” said Alex Stamos, chief trust officer at SentinelOne and former security chief at Meta Platforms Inc. “At a minimum, this indicates that the hollowed-out X team can’t keep up with advances in account takeover techniques.”

Social media accounts used by the US government are required to enable multi-factor authentication — which verifies a user’s identity before logging them in — said Allan Liska, an intelligence analyst at Recorded Future. But he said this doesn’t eliminate the risk of a threat. “There are ways around it, such as authentication token cookie theft, that an attacker could use.”

X also has a long history when it comes to hacks, predating Musk’s acquisition. Before the ownership change, the social network instituted some extra internal protections for high-profile accounts, including heads of state, after a rogue employee briefly deactivated President Donald Trump’s account in 2017. 

See also: Ex-Grab executive joins Winklevoss twins crypto firm Gemini as head of APAC

Still, the network was far from locked down. The Twitter account of former Chief Executive Officer Jack Dorsey was compromised in 2019, and the hackers tweeted out racial slurs. In 2020, a Florida teenager gained control of several prominent accounts on the service, including Joe Biden’s and Barack Obama’s, to promote a Bitcoin scam. In early 2023, hackers posted a database of information, including email addresses, from hundreds of Twitter accounts.

Earlier this week, a politician in the UK claimed that his account was also hacked to promote a crypto scam. 

After Twitter’s former head of security, Peiter “Mudge” Zatko, left the company in early 2022, he filed a formal whistleblower complaint with US regulators that alleged shoddy privacy and security practices.

Some on Tuesday were quick to point out the irony of the SEC’s inaccurate post — internet security has been a priority of the commission in its regulation of public companies. In July, it adopted a set of rules requiring firms to say how they identify and manage cybersecurity risks, and laid out a process for reporting incidents. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” Gensler was quoted as saying in the release.

Regardless of who is to blame for Tuesday’s breach, the incident could create further tension between the SEC and Musk. The billionaire and the Wall Street regulator have a long, combative history, including most recently when the SEC opened an investigation into Musk’s Twitter share purchases before he acquired the company in 2022. The SEC said Musk failed to testify in the investigation and asked a judge to force him to do so.

Musk made light of the latest situation, responding to another X user who had jokingly asked, “What was the SEC’s password? Wrong answers only.”

“LFGDogeToTheMoon!!” Musk replied.

Highlights

Re test Testing QA Spotlight
1000th issue

Re test Testing QA Spotlight

Get the latest news updates in your mailbox
Never miss out on important financial news and get daily updates today
×
The Edge Singapore
Download The Edge Singapore App
Google playApple store play
Keep updated
Follow our social media
© 2024 The Edge Publishing Pte Ltd. All rights reserved.