SEC account hack renews spotlight on X's security concerns
Send a link to a friend
 [January 10, 2024]
By Zeba Siddiqui and Raphael Satter
SAN FRANCISCO/WASHINGTON (Reuters) - The hack of the U.S. Securities and
Exchange Commission's official account on X on Tuesday renewed concerns
about the social media platform's security since its takeover by
billionaire Elon Musk in 2022.
The hackers posted false news about a widely anticipated announcement
the SEC was expected to make about bitcoin, leading the cryptocurrency's
price to spike and alarming observers. The false post on @SECGov said
the securities regulator had approved exchange-traded funds to hold
bitcoin. The SEC deleted the post about 30 minutes after it appeared.
X confirmed later on Tuesday, following a preliminary investigation,
that the SEC's account was compromised because an unidentified
individual gained control over a phone number associated with the
account through a third party.
The social media platform also said in a post that the SEC did not have
two-factor authentication enabled at the time the account was
compromised.
While X said the compromise was not because of a breach of the
platform's systems, security analysts called the incident disquieting.
"Something like that, where you can take over the SEC account and
potentially affect the value of bitcoin in the market - there's massive
opportunity for disinformation," said Austin Berglas, a former
cybersecurity official at the FBI's New York office and a senior
executive at the security firm BlueVoyant.
Accounts on X, formerly known as Twitter, can be hijacked by stealing
passwords or tricking targets into giving up their login credentials,
just like on any other social media platform. Accounts can also be taken
over by breaching X's security, as happened in 2020, when a teenager
masterminded a break-in of Twitter's internal computer network and
seized control of dozens of high-profile accounts, including those of
former President Barack Obama and Musk, well before he bought Twitter.
An SEC spokesperson on Tuesday said the "unauthorized access" of its
account by an "unknown party" had been revoked and the agency was
working with law enforcement and others in the government to investigate
the matter.
SECURITY PROBLEMS
Even before it was acquired by Musk and changed its name to X, however,
Twitter was the subject of persistent security problems.
The 2019 arrest of a Saudi agent who had secretly combed the site's
backend for personal information about the kingdom's dissidents raised
concerns about Twitter's internal safeguards.
[to top of second column]
|
'X' logo is seen on the top of the headquarters of the
messaging platform X, formerly known as Twitter, in downtown San
Francisco, California, U.S., July 30, 2023. REUTERS/Carlos Barria/File
Photo
The mass hijacking of top accounts the following year by the Florida
teen heightened the concerns, with New York state's Department of
Financial Services scolding the firm for falling prey to a "simple"
hack. In 2022 Twitter's former security chief Peiter Zatko publicly
turned on the company, before it was acquired by Musk, accusing it
of a litany of security failings that he said jeopardized national
security.
Musk has touted the company's security since buying Twitter in
October 2022, but former staff say it has worsened since then. Musk
ordered a 50% cut in X's physical security budget after buying the
social media platform, and wanted to scrap programs aimed at helping
it find and fix digital vulnerabilities, according to a lawsuit
filed last month by Alan Rosa, former IT security chief at X. Rosa
alleges he was fired when he objected to the measures.
A former Twitter executive, who declined to be named, said the
protection of prominent accounts such as those of government
officials was a major focus there prior to Musk's acquisition, and
included alerts for suspected hacks with rapid response measures,
but staffers who worked on that effort were part of an "election
integrity" team that suffered layoffs last year.
Early last year, X limited the ability of non-paying users to
implement two-factor authentication, a key security measure. X's
website says the firm "proactively" protects and secures the
accounts of government officials and political candidates that "may
be particularly vulnerable during certain civic processes."
Without such security in place, hackers could have taken over the
account through various methods including using an old leaked
password or gaining access to a phone number linked to the account
through a technique known as SIM swapping, said Berglas.
"Anytime you're reducing a security function in a platform that does
what X does, it is incredibly concerning," he added.
(Additional reporting by Sheila Dang and Jyoti Narayan; Editing by
Leslie Adler and Christian Schmollinger)
[© 2023 Thomson Reuters. All rights
reserved.]This material
may not be published, broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
