Yesterday the Securities and Exchange Commission’s (SEC) X account was hijacked. The hijacker posted a fake report that the SEC had approved the long awaited spot bitcoin ETFs. Shortly afterwards, Chair Gary Gensler used his personal X account to tweet that it was fake news. Based on a post on the SECGov account acknowledging the account was compromised, control has been returned to the Commission.
X.com’s security team confirmed that the account was compromised. Its preliminary investigation pointed to someone getting control over a phone number associated with the @SECGov account.
“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised,” the post states.
Regulators were swift to react. Republican Senators JD Vance and Thom Tillis wrote a letter saying, “These developments raise serious concerns regarding the Commission’s internal cybersecurity procedures.” Adding, “It is unacceptable that the agency entrusted with regulating the epicenter of the world’s capital markets would make such a colossal error.”
New Commission rules on cybersecurity require businesses impacted by a breach to make disclosures within four days. Congress wants one in a similar timescale. The senators also asked, “How does the Commission plan to rectify any financial losses borne by investors as a result of the errant announcement.”
Clearly this was a serious issue. Some might argue it could have been much more severe had it not been related to the relatively small digital assets sector.
Two factor authentication is a vital security step. However, it’s worth waiting to hear what happened before jumping to conclusions. Some have speculated it was a draft Tweet mistakenly posted early.
