Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

US lawmakers call for investigation into SEC X account takeover

Republican and Democrat odd couple want to know how the social media account of the Securities and Exchange Commission (SEC) was compromised.

user icon David Hollingworth
Tue, 16 Jan 2024
US lawmakers call for investigation into SEC X account takeover
expand image

A pair of US senators have called upon the Securities and Exchange Commission’s inspector general to begin an investigation into an apparent social media account takeover that impacted the SEC’s X account earlier in the week.

Senator Ron Wyden, Democrat, and Senator Cynthia Lummis, Republican, signed a joint letter to the SEC late last week regarding the SEC’s “apparent failure to follow cyber security best practices”.

The two senators have some pull, too. Lummis is a member of the Senate committee that oversees the SEC, while Wyden is the chair of the Senate finance committee.

============
============

The SEC’s X account was hacked on 10 January when an unknown threat actor hijacked the account and posted that the SEC was now allowing trading of spot bitcoin exchange-traded funds (ETFs). The post was online for less than an hour, and after it was removed, the SEC attempted to clear up the matter.

“The SECGov X account was compromised, and an unauthorised post was posted,” the SEC said in a tweet. “The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”

X then made its own investigation, publicly declaring that X was not at fault, effectively placing all the blame squarely on the SEC.

“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the SECGov account through a third party,” an X spokesperson said in a tweet.

“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised. We encourage all users to enable this extra layer of security.”

This statement from X has prompted the two senators to call for a more detailed investigation.

“Given the obvious potential for market manipulation, if X’s statement is correct, the SEC’s social media accounts should have been secured using industry best practices,” the senators said in their letter, which was shared with and first reported on by Axios.

“Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cyber security. X has permitted users to restrict access to their accounts exclusively using security keys and to remove phone numbers, which can be easily hijacked by fraudsters, since 2021.”

Despite only being live for a half hour, the fraudulent tweet did lead to a rise in the value of bitcoin.

Ironically, a day later, the SEC did officially announce that it was supporting the trade of bitcoin ETFs, making the whole incident just that much more confusing.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.