On a week when the Securities and Exchange Commission was expected to announce whether it would approve bitcoin ETFs, a hacker got access to the SEC's account on X, formerly known as Twitter, and falsely claimed Tuesday that the commission had approved such funds. The fiasco caused major fluctuations in the price of bitcoin.
In a post on X after the SEC regained control of the account, the commission acknowledged its X account had been compromised and that it had not approved spot bitcoin exchange-traded products.
An official X account said the compromise was not due to any breach of the social media platform's own systems. Rather, through a third party, "an unidentified individual" gained control over a phone number associated with the SEC's official government account.
In the post, X also claimed the SEC did not have two-factor authentication enabled at the time the account was compromised, which came as a surprise to Rachel Tobac, CEO of cybersecurity awareness company SocialProof Security.
"This is pretty wild to hear," Tobac said in a post on X, adding she was curious to see what the SEC would report in its own findings. The SEC so far has not provided details on how the hack occurred.
Prior to X announcing its preliminary findings, Tobac had said she thought it was unlikely the SEC would keep a phone number associated with the account or that it would neglect multifactor authentication. Both her assumptions appear to have been wrong, according to X's preliminary findings.
Unauthorized parties can gain control of phone numbers through a variety of methods. One of the main methods is a SIM swap scam, which involves fraudulently transferring a phone number to a fraudster-controlled device.
Attackers can deploy a SIM swap scam in a variety of ways. Often, the fraudster will gather personal details about the target, contact the target's cell service provider pretending to be the target and persuade the provider to transfer the target's phone number to the fraudster's device.
Tobac said if the SEC's findings align with X's that an unauthorized person gained control of a phone number associated with the account, the attacker may have been able to reset the SEC's account password using the phone number — even without access to the email associated with the account, because users can select whether to receive an email or text with a password reset link.
X's preliminary findings cast the SEC in a poor light, suggesting the commission failed to enable multifactor authentication even as it has cracked down on public companies over cybersecurity, recently requiring them to report material cybersecurity incidents within four days.
"Increasingly, cybersecurity risks and incidents are a fact of modern life," said Gary Gensler, chair of the SEC, last year during the announcement of the new reporting requirements. "When material incidents occur, they can have a range of consequences — including financial, operational, legal, or reputational."
X also received scrutiny for its own security practices after the attack. Tobac said the platform leaves verified accounts (such as the SEC's, which has a gray verification badge) vulnerable by requiring them to add a phone number to receive verification.
"Then, if you don't go and remove your phone number after the verification process, you're at risk for SIM swap account takeover through phone number password reset flow, especially if you don't have MFA enabled," Tobac said. "Many high profile accounts don't realize this risk is possible after they apply for 'verification' under the new pay-to-verify scheme."
After X owner Elon Musk bought the platform in April and implemented the pay-to-verify system, impersonation accounts flourished. In one prominent example, a prankster created an account imitating Eli Lilly, purchased a verification badge, and claimed in a post from the account that insulin had become free. The company's stock price
Impersonations were not the only problem that flourished with pay-to-verify. Musk's changes also caused some accounts that did not pay for verification to lose two-factor authentication.
Specifically, nonpaying accounts that opted to receive security codes via text message had their multifactor authentication disabled. Twitter
For other companies looking to avoid the SEC's fate of getting its X account hacked, Chris Pierson, CEO of cybersecurity firm BlackCloak, recommended using authentication codes as their second authentication factor on X — the ones that are generated by an app rather than sent via text message.
"The vast majority of these attacks usually boil down to a stolen or compromised password, lack of 2FA or a compromise of the phone number through SIM jacking that enables the attacker to steal the 2FA authentication codes," Pierson said. "Authenticator apps can mitigate SIM jacking code theft."