Read More
The US Securities and Exchange Commission said its account on social network X was "compromised," leading to a spike in the price of Bitcoin and raising fresh questions about X's reliability and the strength of its security practices.
ADVERTISEMENT
SCROLL TO CONTINUE WITH CONTENT
The high-profile breach, one of the most consequential in years on the platform formerly known as Twitter, began with a post on SEC's official verified account, which inaccurately shared that the regulator had approved spot-Bitcoin exchange-traded funds - a decision that had been anticipated for later this week. The price of Bitcoin shot up more than 2.5 percent as news of the post spread online and via media outlets, including Bloomberg News, that were watching the SEC's feed for such an announcement.
Within minutes, SEC chairman Gary Gensler jumped in from his own X account to clarify that the SEC's post was inaccurate, even as it remained on the platform for roughly 30 minutes. Bitcoin's price tumbled.
An SEC spokesperson confirmed there "was unauthorized access to and activity on the @SECGov x.com account by an unknown party."
"The account is secure and we are investigating the root cause," said Joe Benarroch, head of business operations at X.
This comes at a time when X and billionaire owner Elon Musk are seeking to win back trust from users and advertisers, many whom are dismayed by Musk's free-for-all style of leadership since his 2022 takeover.
Musk has pivoted away from some of the prior regime's efforts to rein in offensive or harmful content, and has severely scaled back staff to save on costs, leading to regular bugs and outages.
"This has to be the most sophisticated use of a stolen Twitter account ever," said Alex Stamos, chief trust officer at SentinelOne and former security chief at Meta Platforms.
"At a minimum, this indicates that the hollowed-out X team can't keep up with advances in account takeover techniques."
X confirmed that "an unidentified individual" compromised the SEC's account by acquiring an associated phone number. It added the regulator hadn't activated two-factor authentication - an extra layer of security that's become increasingly common with the rapid rise of cyberattacks around the world. SEC representatives didn't immediately respond to an email seeking comment after regular hours.
Social media accounts used by the US government are required to enable multi-factor authentication - which verifies a user's identity - said Allan Liska, an intelligence analyst at Recorded Future. "There are ways around it, such as authentication token cookie theft, which attackers could use," he said.
