The official X account of the United States Securities and Exchange Commission was “compromised” this afternoon, resulting in the publication of an “unauthorized” post, according to SEC chair Gary Gensler. The account, @SECGov, also said the account had been compromised.
“The SEC has determined that there was unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time shortly after 4 pm ET,” an SEC spokesperson said in a statement to WIRED. “That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”
While X did not respond to WIRED's request for comment, the company confirmed the breach of the @SECGov account in a post on X. “We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” the company wrote. “We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”
The @SECGov account published a post this afternoon regarding the regulatory status of Bitcoin ETFs, a financial product that would allow people to invest in bitcoin like standard stocks. The post, which also included an image with an apparently fake quote from Gensler, has since been deleted.
The fake post appeared to lead to a brief spike in Bitcoin’s value of around 2.5 percent, to nearly $47,870, before crashing around 3.2 percent from its original price.
Following news of the SEC's compromised account, US senator Bill Hagerty said in a post on X that Congress should investigate the incident.
“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened,” Hagerty, a Tennessee Republican, wrote. “This is unacceptable.”
This is at least the second high-profile compromise of an X account in recent days. Mandiant, a leading cybersecurity firm now owned by Google, had its X account hacked on January 3. A scammer used their access to post a malicious link in an attempt to steal cryptocurrency from victims.
X owner Elon Musk’s aggressive slashing of the company's staff has, over the past year, raised fears that the cuts would leave X (formerly Twitter) unable to secure a platform depended on by users that include high-profile figures and government agencies worldwide. One former Twitter information security official sued Musk and others for alleged wrongful termination after he was fired for, he claims in the lawsuit, arguing that the staff cuts would interfere with X’s ability to comply with a 2011 consent decree with the US Federal Trade Commission to protect users’ personal information.
Even before Musk’s acquisition of the company, former Twitter chief security officer Peiter Zatko filed an extensive whistleblower report to US government agencies about the company’s alleged security issues, including the claim that it gave its own staff too much unmonitored access to the platform.
“People put a lot of trust into an entity that has stopped being a serious company,” says Allison Nixon, the chief research officer for cybersecurity firm Unit 221B, which frequently deals with hackers’ account takeovers. “If a government wants to be able to make statements that people can rely on, they can’t do that on a platform that has a targeted-account-takeover problem.”
The SEC account’s compromise is arguably the most consequential hijacking of a public figure’s Twitter account since 2020, when a group of young hackers tricked Twitter employees into giving them access to a powerful internal tool that allowed them to take control of users’ profiles.
They used it to post a scam messages to the accounts of users that included Joe Biden, Barack Obama, Jeff Bezos, Elon Musk, and Kim Kardashian, offering to donate twice the amount of any payment users sent to the hackers’ Bitcoin addresses back to the sender. The scam netted nearly $120,000 within minutes before the messages could be deleted. In that case, the hackers were identified—in part thanks to cryptocurrency-tracing evidence left on Bitcoin’s blockchain—and were arrested within two weeks.
Soon after news of the @SECGov’s compromise broke, Musk responded to a post joking about the account’s security. “What’s the SEC’s password? Wrong answers only,” @dogeofficialceo wrote. Musk, who was sued in July 2023 for allegedly inflating the price of the cryptocurrency Dogecoin, responded: “LFGDogeToTheMoon!!”
Additional reporting by William Turton and Makena Kelly.
Updated at 7:20 pm ET, January 9, 2024, to include a statement from the SEC regarding the compromise of its X account.
Updated at 10:15 am ET, January 10, 2024, to include a statement from X regarding the breach of the @SECGov account.
