The Hack of the SEC’s X Account Reveals Cybersecurity Confusion

Cybersecurity is a world filled with ambiguity and technical complexity. Often there are few details given when an organization is compromised, due to the highly sensitive nature of such an event along with the time it takes for a full forensic picture to be pieced together. These facts do not matter much to the narrative weavers looking to use the confusion surrounding such events for personal gain. When it comes to understanding cybersecurity incidents breaking in the news, people should take a humble approach and wait till the dust settles, rather than ignore the developing facts to malign the parties involved.

On January 9th, the X account of the Securities and Exchange Commission (SEC) was compromised. The threat actor used their newfound access to post that the SEC had approved highly anticipated Bitcoin ETFs. X confirmed the breach and revealed that the threat actor went through a third party to gain unauthorized access to the phone number used for the SEC’s X account. X also clarified that the SEC’s X account was not set up with two-factor authentication and that none of the social media company’s systems were affected.

Oregon Senator Ron Wyden and Wyoming Senator Cynthia Lummis put out a statement shortly after on January 11th calling for an investigation into the agency’s glaring lack of basic cybersecurity measures such as multi-factor authentication (MFA). The letter to the SEC Inspector General also identifies the need for MFA that is “phishing resistant.” This is a key call out because MFA could have been enabled but if it had been text message based, then the threat actor would have been able to pass the security check since they had already compromised the phone number.

These two Senators exemplify what a proper response to a cybersecurity breach should look like. They are literate enough in the subject to properly identify real vulnerabilities involved but humble enough to call on investigative bodies to figure out the whole picture before casting aspersions.

Displaying the improper response is Bloomberg, who put out an article titled “SEC Account Hack Amplifies Questions About X Security.” Reading that headline, which is usually all that people do, a reader unfamiliar with the situation and unclear on the intricacies of cybersecurity would naturally assume that the false post was the result of X itself being hacked. The two completely unrelated subheadings attempt to draw even more ire towards X by questioning the information posted there and bringing up X’s recent loss in advertiser revenue.

Rather than publishing the actual story about unbelievable government incompetence leading to unstable markets, Bloomberg attempts to place blame on X for the failure of the SEC. It is no secret that legacy media has collectively set its target on Elon Musk. He is a frequent critic of them and presents a threat to their stranglehold on the media ecosystem through his acquisition of Twitter. The piece makes this animus clear by claiming that many advertisers and users are “dismayed by Musk’s free-for-all style of leadership”, that X has “pivoted away from … [reining] in offensive or harmful content”, and that job cuts at X have led to “regular bugs and outages.” It is hard to believe that this piece is about the SEC account hack.

Unfortunately, cybersecurity and its complicated subject matter allow for this misdirection to succeed. The public is not equipped with the knowledge necessary to see through the ruse, meaning that assertions like “the hollowed-out X team can’t keep up with advances in account takeover techniques” will go unchallenged in readers’ minds. The piece does not even identify the culpability that lies with mobile phone companies who do not properly guard against SIM swapping attacks.

Most likely the cause of the SEC’s account compromise, a SIM swap occurs when threat actors use social engineering to get a mobile phone company to associate a targeted phone number with a SIM card under their control, resulting in any messages meant for the number holder to route to them. Also, conveniently buried in the piece is the important detail that US government social media accounts are required to have MFA enabled.

The piece goes on to criticize X by saying the company “made setting up two-factor authentication more difficult for users” because it required them to pay for X premium to be able to use text message-based MFA. The piece bemoans that free users would still have the more secure but more time-consuming option of using authenticator apps for MFA. While it is true that any form of MFA is better than none, it is good practice to shift users away from text-based versions. The piece is working very hard to find fault with the completely wrong party. The piece ends with complete uncertainty as to “who is to blame for [the] breach.” It is certain, however, in identifying a rift between the SEC and Musk that will supposedly only grow because of this incident.

Bloomberg should have published an article telling its readers to check their accounts for MFA availability, particularly the kind not based on text message or email. It should have also called out the SEC for its lack of controls and their failure to comply with federal regulations, like how Senators Wyden and Lummis did. Instead, it decided to use this situation to blatantly attack Musk. Legacy media continues to fail at its role in providing accurate and valuable information. As a result, people are unclear as to what a hack even is or who is to blame for ensuring they don’t happen. Cybersecurity is a complicated subject that should not be approached carelessly, especially if the only motivation is to mislead and unfairly punish others.