New details shed light on the SEC X hack that occurred recently.
On Jan. 9, the X account of the Securities Exchange Commission (SEC) was hacked by a group of scammers who posted that the SEC approved Bitcoin ETFs. The price of Bitcoin instantly peaked $48,000 before crashing. The scammers were able to both hack into the SEC and manipulate the Bitcoin market, presumably to a profit.
The attack drew international criticism towards the SEC, but for a little over two weeks there were no answers.
To break down the timeline:
- In February 2023, Twitter (now X) sent out a notification to its users that they must remove two-factor authorization or they risk losing their accounts. At the time, Twitter Blue had just launched and the company was pressuring users into subscribing.
- In March 2023, Twitter completely removed SMS-based 2FA for anyone without a subscription.
- In July 2023, the SEC asked Twitter support to disable 2FA on their account after they were locked out of their account because of their old SMS-based 2FA.
- This month, hackers were able to perform a “Sim Swap” attack. A hacker was able to obtain the phone number used to log into the SEC’s X account. Without 2FA, all they needed was the phone number.
After obtaining the information, the hacker pulled off their scam before the SEC was able to take control of its account again. Eyebrows were raised at the fact that the SEC didn’t reconfigure their 2FA after gaining access to their accounts in July.
In a dramatic twist, the SEC chairman was tweeting about the importance of MFA at the time the hack was taking place. In a sense, he wasn’t wrong.
Still, X bears some level of responsibility for pressuring users into subscribing by removing extremely basic security measures for free accounts, resulting in a wave of users being temporarily locked out of their accounts.
That said, it isn’t the best look for the SEC.