Twitter says it’s not its fault the SEC’s account got hacked

Investigation also reveals SEC account did not have 2FA enabled.

Graham Cluley
Graham Cluley
@[email protected]

Twitter says, It's not our fault the SEC's account got hacked

The safety team at Twitter (I refuse to call the site X because that’s the completely daft kind of name a nine-year-old would choose) has responded to the high profile hack of the SEC Twitter account, which made headlines around the world.

And what do they have to say?

Well, in a nutshell – “it’s not our fault.”

Sec 2fa tweet

Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.

What @Safety is saying is that someone hijacked control of the mobile phone number associated with the official SEC account. This was, one assumes, through a SIM swap attack.

A SIM swap attack is where a scammer manages to trick the customer service staff of a cellphone provider into giving them control of someone else’s phone number. Sometimes this is done by a fraudster reciting personal information about their target to the telecoms company, tricking them into believing they are someone they’re not.

When a service – such as Twitter – later sends a password reset link or authentication token to the user’s phone number via SMS it ends up in the hands of the criminal.

Sign up to our free newsletter.
Security news, advice, and tips.

Victims of SIM swap attacks in the past have included former Twitter boss Jack Dorsey, who had his Twitter account hijacked in 2019.

And, I’m afraid, Twitter does make it possible to reset an account password just by knowing and having access to a mobile phone number.

The other interesting revelation is that the official SEC Twitter account did not have two-factor authentication (2FA) enabled. This is a feature that I would recommend all users turn on, as it provides an additional layer of security – and can make it harder (albeit not entirely impossible) for criminals to break into an account.

To hear that the US Securities & Exchange Commission did not have multi-factor authentication enabled is frankly bonkers.

Is this the same SEC that is chaired by Gary Gensler, who during cybersecurity awareness month in October, reminded everyone of the importance of setting up multi-factor authentication to secure their accounts?

Chairmans tweet

Hey, here’s an idea for Twitter/X/Elon’s multi-billion dollar vanity project (delete as appropriate):

Why don’t you make two-factor authentication (preferably not SMS-based, as there are better forms of 2FA) mandatory for verified and corporate accounts on Twitter?

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.