Social media giant X has introduced passkeys as a more secure login option for its US based users on iOS. This move comes in response to a series of account takeover attacks on high-profile organizations, including the Securities and Exchange Commission (SEC) [1] [2] [3] [4] [5].

Description

The SEC recently confirmed that its official X account was hacked [2] [5], resulting in unauthorized content being posted for approximately 30 minutes. The incident is currently under investigation by the SEC, the Office of the Inspector General [1] [5], and the FBI [1] [5]. The hackers were able to gain control of the account by resetting the password after taking control of the associated phone number. It was discovered that multi-factor authentication (MFA) had been disabled on the account since July 2023 [2]. This incident highlights the vulnerability of the SEC’s account on X [5], previously known as Twitter [5].

SEC Chair Gary Gensler denounced the unauthorized content posted on X, which falsely claimed the SEC’s approval of bitcoin ETFs [5]. The compromised account was also used to publish a fake announcement about Bitcoin exchange-traded funds (ETFs) [2], although the SEC later made the announcement for real the following day. As a result of this incident, MFA has now been enabled for all SEC social media accounts [2].

Conclusion

This incident serves as a reminder of the importance of strong security measures, such as passkeys and multi-factor authentication, to protect against account takeover attacks. The SEC’s swift response in enabling MFA for all its social media accounts demonstrates their commitment to enhancing security. Moving forward, it is crucial for organizations to remain vigilant and proactive in safeguarding their online presence to prevent unauthorized access and the dissemination of false information.

References

[1] https://www.yahoo.com/news/sec-sim-swap-used-x-124413158.html
[2] https://www.infosecurity-magazine.com/news/sec-sim-swap-attack-x-account/
[3] https://www.engadget.com/the-sec-says-its-x-account-was-taken-over-with-a-sim-swap-attack-004542771.html
[4] https://www.infosecurity-magazine.com/news/x-passkeys-us-based-users/
[5] https://news.yahoo.com/sec-account-hack-result-sim-162904730.html