US securities regulator confirms unknown individual accessed its X social media account to post false message about ETFs
The agency governing financial matters in the United States admits that its social media account on X (formerly Twitter) was hacked and used to make a false declaration about an approval eagerly awaited by the crypto industry.
The Securities and Exchange Commission (SEC) on Tuesday confirmed that the “@SECGov
X account was compromised, and an unauthorised post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”
The SEC account had been compromised briefly by an unknown party after about 4pm Eastern time (21:00 GMT) and posted that it had approved the long-awaited bitcoin exchange-traded funds (ETF), Reuters reported.
The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
— U.S. Securities and Exchange Commission (@SECGov) January 9, 2024
The unauthorised post claimed that the SEC had granted approval for bitcoin ETFs on all registered national securities exchanges and included a picture purporting to quote SEC Chair Gary Gensler.
The price of bitcoin rose after the post.
The fake post came as the SEC had been widely expected to approve a batch of ETFs that track the price of bitcoin, which would have been a pivotal development for the crypto industry.
The “unauthorised access has been terminated,” the US financial agency reportedly said, and added that it would work with law enforcement to investigate the hack and ‘related conduct.’
Elon Musk’s X also confirmed that the SEC’s account (and not Twitter’s systems) had been compromised after the hacker apparently obtained control of a phone number associated with the agency’s account through a third party.
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…
— Safety (@Safety) January 10, 2024
“We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation,” it said. “Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.”
And in an unbelievable security lapse, it seems that the SEC had not switched on two-factor authentication for the account.
“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised,” X confirmed.
The compromise of the official social media account of the US financial regulator was noted by Jake Moore, global cybersecurity advisor at ESET, who predicted that there would be serious consequences from the hack.
“This proves that accounts on X continue to be targeted and if an official account is compromised then serious consequences can follow,” said Moore. “Cryptocurrency scams remain the focal point and with social pressure on X, they can still reap huge gains.”
“Legitimate third party access compromise or targeted social engineering are still the most common ways to obtain access to an account which leaves the security onus very much on individuals,” said Moore. “Therefore, even more significance should be directed at training staff and account owners especially when dealing with high profile accounts.”