SEC investigates X security breach amid Bitcoin ETF approval rumours

The US regulator's account was compromised, amplifying security concerns about the social media platform

The Bitcoin ETF post on X is one of the most consequential breaches in years on the social media platform formerly known as Twitter. Reuters
Powered by automated translation

The US Securities and Exchange Commission said its account on X, formerly Twitter, was “compromised”, leading to a sharp rise in the price of Bitcoin and raising new questions about the social media platform's reliability as a source of information and the strength of its security practices.

The incident, one of the most consequential breaches in years on X, began with a post on the SEC’s official verified account, which inaccurately shared that the regulator had approved spot Bitcoin exchange-traded funds – a decision that had been expected later this week.

The price of Bitcoin quickly shot up more than 2.5 per cent as news of the post spread online and via media outlets that were watching the SEC’s feed for such an announcement.

Within minutes, SEC chairman Gary Gensler jumped in from his own X account to clarify that the SEC’s post was inaccurate, even while the message remained up on the social media platform for about 30 minutes.

“The @SECGov twitter account was compromised, and an unauthorised tweet was posted,” Mr Gensler wrote on X. Bitcoin’s price then tumbled.

An SEC representative confirmed that there was “unauthorised access to and activity on the @SECGov account by an unknown party for a brief period of time”.

It is unclear whether the commission’s account was compromised via X’s systems, or by some kind of user error or lapse, such as a stolen password.

“The account is secure and we are investigating the root cause,” said Joe Benarroch, head of business operations at X.

Still, the high-profile breach comes at a time when X and billionaire owner Elon Musk are seeking to win back trust from both users and advertisers, many of which have been dismayed by Mr Musk’s free-for-all style of leadership since his 2022 takeover.

Mr Musk has pivoted away from some of the previous management’s efforts to rein in offensive or harmful content, and has severely scaled back staff to save on costs. Those cuts have led to regular bugs and disruptions.

“This has to be the most sophisticated use of a stolen Twitter account ever,” said Alex Stamos, chief trust officer at SentinelOne and former security chief at Meta Platforms.

“At a minimum, this indicates that the hollowed-out X team can’t keep up with advances in account takeover techniques.”

Social media accounts used by the US government are required to enable multi-factor authentication, which verifies a user’s identity before logging them in, said Allan Liska, an intelligence analyst at Recorded Future.

However, this does not eliminate the risk of a threat, Mr Liska added.

“There are ways around it, such as authentication token cookie theft, that an attacker could use.”

X also has a long history when it comes to hacks, predating Mr Musk’s acquisition.

Before the ownership change, the social network instituted some extra internal protections for high-profile accounts, including heads of state, after a rogue employee briefly deactivated President Donald Trump’s account in 2017.

Still, the network was far from locked down.

The Twitter account of former chief executive Jack Dorsey was compromised in 2019, and the hackers tweeted out racial slurs.

Watch: Twitter drops famous bird for new X logo

Twitter drops famous bird for new X logo

Twitter drops famous bird for new X logo

In 2020, a Florida teenager gained control of several prominent accounts on the service, including Joe Biden’s and Barack Obama’s, to promote a Bitcoin fraud scheme.

In early 2023, hackers posted a database of information, including email addresses, from hundreds of Twitter accounts.

Earlier this week, a politician in the UK claimed that his account was also hacked to promote a crypto fraud scheme.

After Twitter’s former head of security, Peiter “Mudge” Zatko, left the company in early 2022, he filed a formal whistleblower complaint with US regulators that alleged shoddy privacy and security practices.

On Tuesday, some were quick to point out the irony of the SEC’s inaccurate post – internet security has been a priority of the commission in its regulation of public companies.

In July, it adopted a set of rules requiring companies to say how they identify and manage cyber security risks, and laid out a process for reporting incidents.

“Whether a company loses a factory in a fire – or millions of files in a cyber security incident – it may be material to investors,” Mr Gensler was quoted as saying.

Regardless of who is to blame for Tuesday’s breach, the incident could create further tension between the SEC and Mr Musk.

The billionaire and the Wall Street regulator have a long, combative history, including most recently when the SEC opened an investigation into Mr Musk’s Twitter share purchases before he acquired the company in 2022.

The SEC said Mr Musk failed to testify in the investigation and asked a judge to force him to do so.

Mr Musk made light of the latest situation, responding to another X user who had jokingly asked, “What was the SEC’s password? Wrong answers only.”

“LFGDogeToTheMoon!!” Mr Musk replied.

Updated: January 10, 2024, 6:11 AM