The recent disclosure by the Securities and Exchange Commission (SEC) has shed light on a concerning incident involving the disabling of multi-factor authentication (MFA) on its X account. The compromised occurred on Tuesday, January 9, 2024, when the SEC’s official Twitter account, @SECGov, was breached, and unauthorized posts regarding the approval of spot Bitcoin exchange-traded funds surfaced. This unauthorized access, revealed by an SEC spokesperson on January 22, was facilitated through a malicious ‘SIM swap’ attack, allowing the attacker to assume control of the agency cell phone number associated with the account without proper authorization.
One of the most troubling aspects of this incident is the revelation that multi-factor authentication had been disabled on the @SECGov X account since July 2023. It was allegedly done at the staff’s request, citing problems with accessing the account. This disabling of MFA persisted until after the account was compromised. Although the SEC has stated that MFA is now enabled for all their social media accounts, this sequence of events raises serious concerns about the agency’s commitment to secure cybersecurity practices. The decision to disable MFA, even temporarily, highlights a significant oversight in protecting their social media accounts from unauthorized access.
As a consequence of the compromised account, the attacker was able to make false announcements about the Commission’s approval of spot Bitcoin exchange-traded funds. Moreover, they even liked two posts from non-SEC accounts, further adding to the credibility of the false information. The SEC, however, has emphasized that no evidence has been found to suggest that the unauthorized access extended beyond the compromised social media account. It reassures the public that its systems, data, devices, and other social media accounts remained secure.
The SEC’s Cybersecurity Commitment
Acknowledging the concerns surrounding the security of its social media accounts, the SEC has asserted its commitment to fulfilling its cybersecurity obligations. The agency is currently collaboratively working with law enforcement and federal oversight entities to evaluate the impact of this incident on the agency, investors, and the marketplace. The SEC also wants to assure the public that it does not rely on social media channels as the primary means to disseminate its actions. It has reiterated that official announcements are made on its official website, and any amplification through social media posts should be viewed with caution.
While the investigation into the exact method and motives behind the attack is ongoing, the SEC is determined to keep the public informed about progress and updates regarding the incident. It admits that further remedial measures may be necessary to address the concerns raised by the compromise of its social media accounts. The agency reasserts its commitment to cybersecurity and remains aware of the potential impact such incidents can have on investor confidence and the integrity of the marketplace.
The SEC’s disclosure of the disabling of multi-factor authentication leading up to the false Bitcoin ETF approval post raises significant concerns about the agency’s cybersecurity practices. The incident highlights the importance of implementing robust security measures to safeguard sensitive social media accounts from unauthorized access. As the investigations progress, it is crucial for the SEC to take concrete actions to restore public trust and ensure the security of its social media channels.