X Confirms SEC Hack, Says Account Didn’t Have 2FA Turned On

The Securities and Exchange Commission’s primary X account was hacked on Tuesday, the social media site has confirmed. The account, which falsely tweeted about a much-anticipated Bitcoin ruling, thus throwing the crypto world into a temporary uproar, didn’t have two-factor authentication activated, which allowed an unknown person to compromise it, the site said.

Late Tuesday night, X’s security team shared a post providing details about the incident. That post reads, in part:

We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised. We encourage all users to enable this extra layer of security.

Ah, 2FA. It truly is an essential part of web security—one that, unfortunately, most people and organizations (including, apparently, social media managers for federal agencies) neglect to ever activate. Let the SEC’s folly be yet another reminder to you, dear reader, to go and turn that shit on immediately.

Tuesday’s hacking episode temporarily threw the web3 community into chaos after the SEC’s compromised account made a post falsely claiming that the SEC had approved the much anticipated Bitcoin ETFs that the crypto world has been obsessed with of late. The claims also briefly sent Bitcoin on a wild ride, as the asset shot up in value temporarily, before crashing back down when it became apparent the news was fake.

The revelation that the SEC account was hacked also seems to throw cold water on conspiracy theories that spread throughout the crypto community, the likes of which speculated the SEC had orchestrated the entire episode for vague, nefarious reasons. As it turns out, the nation’s top financial regulator is just really bad at cybersecurity.