SEC account hack and Bitcoin price surge renew spotlight on X's security concerns

The hack of the U.S. Securities and Exchange Commission's official account on X on Tuesday renewed concerns about the social media platform's security

Published - January 10, 2024 09:51 am IST - SAN FRANCISCO/WASHINGTON

An SEC spokesperson on Tuesday said the “unauthorized access” of its account by an “unknown party” had been revoked [File]

An SEC spokesperson on Tuesday said the “unauthorized access” of its account by an “unknown party” had been revoked [File] | Photo Credit: REUTERS

The hack of the U.S. Securities and Exchange Commission's official account on X on Tuesday renewed concerns about the social media platform's security since its takeover by billionaire Elon Musk in 2022.

The hackers posted false news about a widely anticipated announcement the SEC was expected to make about Bitcoin, leading the cryptocurrency's price to spike and alarming observers. The false post on @SECGov said the securities regulator had approved exchange-traded funds to hold Bitcoin. The SEC deleted the post roughly 30 minutes after it appeared.

It wasn't immediately clear how a hacker had gained access to the SEC's official account, but security analysts called the incident disquieting.

"Something like that, where you can take over the SEC account and potentially affect the value of Bitcoin in the market - there's massive opportunity for disinformation," said Austin Berglas, a former cybersecurity official at the FBI's New York office and a senior executive at the security firm BlueVoyant.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

Accounts on X, formerly known as Twitter, can be hijacked by stealing passwords or tricking targets into giving up their login credentials, just like on any other social media platform. Accounts can also be taken over by breaching X's security - as happened in 2020, when a teenager masterminded a break-in of Twitter's internal computer network and seized control of dozens of high-profile accounts, including those of former President Barack Obama and Musk, well before he bought Twitter.

An SEC spokesperson on Tuesday said the "unauthorized access" of its account by an "unknown party" had been revoked and the agency was working with law enforcement and others in the government to investigate the matter.

X didn't respond to a series of questions for this story, but in a statement issued earlier Tuesday, the company said that the SEC's account was secure and the company was investigating the "root cause" of the account compromise.

Even before it was acquired by Musk and changed its name to X, however, Twitter was the subject of persistent security problems.

The 2019 arrest of a Saudi agent who had secretly combed the site's backend for personal information about the kingdom's dissidents raised concerns about Twitter's internal safeguards. The mass hijacking of top accounts the following year by the Florida teen heightened the concerns, with New York state's Department of Financial Services scolding the firm for falling prey to a "simple" hack. In 2022 Twitter's former security chief Peiter Zatko publicly turned on the company, before it was acquired by Musk, accusing it of a litany of security failings that he said jeopardised national security.

Musk has touted the company's security since buying Twitter in October 2022, but former staff say it has worsened since then. Musk ordered a 50% cut in X's physical security budget after buying the social media platform, and wanted to scrap programs aimed at helping it find and fix digital vulnerabilities, according to a lawsuit filed last month by Alan Rosa, former IT security chief at X. Rosa alleges he was fired when he objected to the measures.

A former Twitter executive, who declined to be named, said the protection of prominent accounts such as those of government officials was a major focus there prior to Musk's acquisition, and included alerts for suspected hacks with rapid response measures, but staffers who worked on that effort were part of an "election integrity" team that suffered layoffs last year.

Early last year, X limited the ability of non-paying users to implement two-factor authentication - a key security measure. X's website says the firm "proactively" protects and secures the accounts of government officials and political candidates that "may be particularly vulnerable during certain civic processes."

It is unclear if the SEC site had such security in place. If not, hackers could have taken over the account using an old leaked password, said Berglas.

"Anytime you're reducing a security function in a platform that does what X does, it is incredibly concerning," he added.

On Wednesday, X said that the account was compromised not after a breach of its systems, but “due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.”

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.