On Tuesday, the official account of the US Securities and Exchange Commission (SEC) on a social media platform, referred to as X, was hacked. The incident has raised concerns about the security of the platform since its takeover by billionaire Elon Musk in 2022.
The hackers posted fake news about an anticipated announcement by the SEC regarding Bitcoin, causing the cryptocurrency’s value to surge and creating panic among observers. The post claimed that the securities regulator had authorized exchange-traded funds to hold Bitcoin. The SEC removed the post within 30 minutes of its appearance.
After conducting a preliminary investigation, X confirmed that the SEC’s account was compromised because an unknown individual gained control over a phone number connected to the account through a third party. X also revealed that the SEC did not have two-factor authentication enabled when the account was hacked.
While X maintained that the security breach was not caused by a compromise of its own systems, cybersecurity experts have expressed concerns about the potential for disinformation. Accounts on X can be hijacked by stealing passwords or by tricking targets into revealing their login credentials.
Accounts can also be taken over by exploiting X’s security infrastructure, as was the case in 2020 when a teenager broke into Twitter’s internal computer network and gained control of several high-profile accounts, including those of former President Barack Obama and Elon Musk. An SEC spokesperson stated that the agency was working with law enforcement and government agencies to investigate the incident. The security of X has been a persistent issue even before it was acquired by Musk and renamed.
The arrest of a Saudi agent in 2019, who had secretly accessed Twitter’s backend to obtain personal information about Saudi dissidents, raised concerns about Twitter’s internal safeguards. The mass hijacking of high-profile Twitter accounts in 2020 by a Florida teenager amplified these concerns, with the New York State Department of Financial Services criticizing the company for falling prey to a “simple” hack. Musk has touted the platform’s security since acquiring it in October 2022. However, former employees have claimed that the security has deteriorated since then.
Musk is said to have ordered a 50% cut in X’s physical security budget and wanted to eliminate programs aimed at identifying and fixing digital vulnerabilities. A former IT security chief at X has filed a lawsuit alleging that he was fired for objecting to these measures. A former Twitter executive stated that prior to Musk’s acquisition, the protection of prominent accounts, including those of government officials, was a major focus at the company. Staff worked on an “election integrity” team that received rapid response alerts for suspicious hacks. However, many of these staff members were laid off last year.
Last year, X also limited the ability of non-paying users to implement two-factor authentication, a crucial security measure. The X website claims to “proactively” protect and secure the accounts of government officials and political candidates that “may be particularly vulnerable during certain civic processes.” It is unclear if the SEC had such security measures in place. If not, the hackers could have gained access to the account using an old leaked password.