The U.S. Securities and Exchange Commission suffered an embarrassing security lapse on January 10th when its official Twitter account was hacked. The hackers posted a falsified tweet announcing that the agency had approved a Bitcoin exchange-traded fund (ETF). This news caused the price of Bitcoin to temporarily spike nearly $2,000 before the SEC issued clarifications that the information was false.
- The official SEC Twitter account was hacked and posted a false tweet claiming a Bitcoin ETF was approved, causing the Bitcoin price to briefly surge.
- The SEC later confirmed the account had been “compromised” and that they have not actually approved any Bitcoin ETFs.
- The breach occurred because the hacker gained access to a phone number linked to the SEC account, not because of a breach within Twitter’s systems.
- The SEC account did not have two-factor authentication enabled at the time.
- Politicians have criticized the lax security measures and are demanding the SEC provide an explanation and investigation into the incident.
The unauthorized tweet claimed “The SEC grants approval for #Bitcoin ETFs” to be listed on all registered national securities exchanges. This long-awaited news immediately pushed the price of Bitcoin from $46,730 up to nearly $48,000. However, SEC Chairman Gary Gensler soon posted that the agency’s account had been “compromised” and that no Bitcoin ETF has actually been approved.
Following this denial, Bitcoin’s price quickly dropped back down to the $45,000 level. The SEC later regained control of its Twitter account and deleted the fake tweet.
An investigation by Twitter’s security team found that the breach was made possible because the SEC’s account did not have two-factor authentication enabled. Instead, the hackers gained access by taking control of a phone number linked to the account through “a third party.” This security oversight allowed them to bypass Twitter’s systems entirely.
The @SECGov twitter account was compromised, and an unauthorized tweet was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
— Gary Gensler (@GaryGensler) January 9, 2024
The incident has prompted outrage from Republican politicians who argue it is hypocritical for the agency demanding stringent cybersecurity compliance from businesses to have such lax protections itself. Senator Bill Hagerty said “Congress needs answers on what just happened,” while Senator J.D. Vance deemed it “unacceptable that the agency entrusted with regulating the epicenter of the world’s capital markets would make such a colossal error.”
In addition to demanding an explanation from SEC Chairman Gensler, Vance and Senator Thom Tillis have called on the agency to provide a full report on the breach by January 23rd. They argue that if this incident qualifies as a cyberattack, then the SEC should disclose details within 4 days – the same timeline it requires from public companies.
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…
— Safety (@Safety) January 10, 2024
This high-profile security lapse has fueled existing criticisms that the SEC lacks adequate safeguards for its online accounts and systems. It also raises challenging questions about accountability given the agency’s vital role overseeing market integrity and protecting investors.
Ultimately, lawmakers and industry experts will be watching closely to see what actions arise from the SEC’s promised investigation into this case. Tighter security controls, more robust incident reporting policies, and an audit of other potential vulnerabilities may be necessary to rebuild trust in the regulator. For an organization dedicated to transparency and integrity, this breach represents a deep embarrassment as well as an urgent call to action.