X blames SEC for account takeover as commission begins investigation

Social media site X, formerly Twitter, denied responsibility for the takeover of the Securities and Exchange Commission’s (SEC) account on Tuesday evening.

The social media site did not respond to requests for comment but released a statement on Wednesday refuting claims that it was at fault for the SEC account takeover.

“We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” the site’s safety team said.

“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised. We encourage all users to enable this extra layer of security.”

The comments came after widespread alarm on Tuesday evening when the SEC’s account tweeted a message claiming the commission granted approval for bitcoin exchange-traded funds (ETFs) to be listed on national securities exchanges — a pet issue of cryptocurrency enthusiasts.

The tweet was sent out around 4 p.m. Eastern and was deleted within an hour. Both the SEC and Chairman Gary Gensler said the post was inaccurate and came after the account had been compromised.

In a statement to Recorded Future News, the SEC said it “determined that there was unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time shortly after 4 pm ET.”

“That unauthorized access has been terminated,” they said. “The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”

Google-owned cybersecurity firm Mandiant, the deputy leader of the United Kingdom’s Green Party and a Canadian senator have all had their accounts hijacked in the last week.

Those incidents represent the convergence of several issues facing the social media site. Since the platform was purchased by Tesla CEO Elon Musk, it has become overrun with cryptocurrency scams. Several security researchers have also said they have issues contacting the social media site when cybersecurity issues are discovered.

Last month, two researchers discovered vulnerabilities in Twitter that were not addressed for weeks by the social media site’s team.

Chaofan Shou, a PhD student at the University of California, Berkeley, told Recorded Future News that the company never replied to his email about the issue.

Cybersecurity expert Rachel Tobac noted that one recent issue she has found is that accounts must add a phone number to become verified.

It’s possible to delete it after the verification process is complete, but if you don’t, “you’re at risk for SIM swap account takeover thru phone number password reset flow (especially if you don’t have MFA enabled),” she said.

SIM swappers seek to trick mobile carriers into transferring a victim’s phone number to a new device.

“Many high profile accounts don’t realize this risk is possible after they apply for ‘verification’ under the new pay-to-verify scheme,” Tobac added.