SEC social media hack highlights value of MFA
Cryptocurrency markets fluctuated wildly on the evening of Monday 9 January after the US financial regulator, the Securities and Exchange Commission (SEC), briefly appeared to claim it had approved spot bitcoin exchange-traded funds (ETFs) for the first time.
The fake announcement was made via X, the service formerly known as Twitter, at around 9pm GMT on 9 January, and was widely reported at the time. It stated that the SEC had granted approval for bitcoin ETFs on all registered national securities exchanges, which it may yet do later this week, and will be a landmark moment for crypto assets should it happen.
The statement, which was swiftly retracted, was in fact the result of a compromise of the SEC’s X account, which was confirmed by chair Gary Gensler moments later.
“The @SECGov Twitter account was compromised, and an unauthorised tweet was posted,” said Gensler via X. “The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”
Computer Weekly understands the SEC was able to regain control of the account within an hour.
Following an investigation overnight, a spokesperson for X, which has been beset with problems since its takeover by erratic billionaire Elon Musk, said: “We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation.
“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.
“We can also confirm that the account did not have two-factor authentication [2FA, MFA] enabled at the time the account was compromised. We encourage all users to enable this extra layer of security,” they said.
ESET global cyber security adviser Jake Moore said: “This proves that accounts on X continue to be targeted, and if an official account is compromised, then serious consequences can follow. Cryptocurrency scams remain the focal point, and with social pressure on X, they can still reap huge gains.
“Legitimate third-party access compromise or targeted social engineering are still the most common ways to…
