US lawmakers have called on the Securities and Exchange Commission (SEC) to comprehensively review its cybersecurity preparedness following a recent hack that compromised the agency’s X (formerly Twitter) account.
The unauthorized access led to posting a fake message about approving bitcoin-related exchange-traded funds (ETF), impacting the cryptocurrency market.
Unauthorized Post Sparks Bitcoin Price Fluctuations:
The hack, which occurred on Tuesday, resulted in the posting of a misleading message on the SEC’s X account, falsely claiming approval for bitcoin ETFs.
While the SEC eventually approved such ETFs a day later, the initial misinformation contributed to a temporary surge in Bitcoin prices to around $48,000 before a rapid decline to below $45,000.
Democratic Senator Ron Wyden from Oregon and Republican Senator Cynthia Lummis from Wyoming jointly penned a letter to the SEC, urging an investigation into the incident. They highlighted concerns about the “SEC’s apparent failure to follow cybersecurity best practices.”
Lack of Two-Factor Authentication Cited:
The letter pointed out that the hack was facilitated because the SEC’s X account did not enable two-factor authentication (MFA) at the time.
MFA is a security tool that requires users to input a password and a secondary security key sent via email or phone to access an account. The absence of this added layer of protection raised questions about the SEC’s cybersecurity measures.
X, owned by billionaire Elon Musk, confirmed the hack and acknowledged that an “unidentified individual” gained control over a phone number associated with the SEC’s account. The company admitted that two-factor authentication was not in place during the security breach.
Lawmakers Call for Phishing-Resistant MFA:
In their letter, Wyden and Lummis specifically urged the SEC to investigate its practices related to MFA, emphasizing the importance of “phishing-resistant MFA” to identify and address any remaining security gaps.
The SEC had previously announced its collaboration with law enforcement to investigate the hack, highlighting its commitment to addressing and resolving the cybersecurity incident.