Account hack on X renews spotlight on security concerns

Zeba Siddiqui and Raphael Satter
Jan 10, 2024, updated Jan 10, 2024

The US Securities and Exchange Commission says its X social media account was "compromised". Photo: NurPhoto via Getty

The hack of the United States Securities and Exchange Commission’s official account on X has renewed concerns about the social media platform’s security since its takeover by billionaire Elon Musk.

The hackers posted false news about a widely anticipated announcement the SEC was expected to make about Bitcoin, leading the cryptocurrency’s price to spike and alarming observers.

The false post on @SECGov said the securities regulator had approved exchange-traded funds to hold Bitcoin.

The SEC deleted the post about 30 minutes after it appeared.

X confirmed later on Tuesday, following a preliminary investigation, that the SEC’s account was compromised because an unidentified individual gained control over a phone number associated with the account through a third party.

The social media platform also said in a post that the SEC did not have two-factor authentication enabled at the time the account was compromised.

Although X said the compromise was not because of a breach of the platform’s systems, security analysts called the incident disquieting.

“Something like that, where you can take over the SEC account and potentially affect the value of Bitcoin in the market – there’s massive opportunity for disinformation,” said Austin Berglas, a former cyber security official at the FBI’s New York office and a senior executive at the security firm BlueVoyant.

Accounts on X, formerly known as Twitter, can be hijacked by stealing passwords or tricking targets into giving up their log-in credentials, just like on any other social media platform.

Accounts can also be taken over by breaching X’s security, as happened in 2020, when a teenager masterminded a break-in of Twitter’s internal computer network and seized control of dozens of high-profile accounts, including those of former president Barack Obama and Musk, well before he bought Twitter.

An SEC spokesperson on Tuesday said the “unauthorised access” of its account by an “unknown party” had been revoked and the agency was working with law enforcement and others in the government to investigate the matter.

In 2022, Twitter’s former security chief Peiter Zatko publicly turned on the company before it was acquired by Musk and changed its name to X, accusing it of a litany of security failings that he said jeopardised national security.

Musk ordered a 50 per cent cut in X’s physical security budget after buying the platform in October 2022 and wanted to scrap programs aimed at helping it find and fix digital vulnerabilities, according to a lawsuit filed last month by Alan Rosa, former IT security chief at X.

Rosa alleges he was fired when he objected to the measures.

X limited the ability of non-paying users to implement two-factor authentication in 2023 – a key security measure.

X’s website says the firm “proactively” protects and secures the accounts of government officials and political candidates that “may be particularly vulnerable during certain civic processes”.

It is unclear if the SEC site had such security in place.

-Reuters

Topics: Elon Musk, hack, X