X blames poor SEC security for account hack 

X, the platform formerly known as Twitter, said Wednesday the hack into the account for the Securities and Exchange Commission (SEC) wasn’t due to a breach of the social media company’s systems.  

In a post from X’s safety team account, the company blamed the SEC’s security for the hack that led to a false post being published Tuesday, which appeared to announce the approval of several bitcoin investment funds.  

X said that based on a “preliminary investigation,” the compromise was “not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number” associated with the SEC’s account through a third party.  

The social media platform also said the SEC’s account did not have two-factor authentication enabled at the time it was compromised.  

Two-factor authentication is a common security feature used by websites to protect against unauthorized account access. It typically involves a user approving a login with a code or message sent to a phone number or email account.

That authentication was readily available on Twitter before Elon Musk’s takeover of the website in October 2022. But Musk limited two-factor authentication in March only to users who pay for a premium X subscription.

The SEC’s account was verified as belonging to a government agency, but it is unclear whether the agency had access to two-factor authentication.

Despite those restrictions, X on Wednesday encouraged “all users to enable this extra layer of security.” 

An SEC spokesperson said in a statement on the hack that the agency “continues to investigate the matter and is coordinating with appropriate law enforcement entities, including the SEC’s Office of the Inspector General and the FBI.” 

The spokesperson also said that the unauthorized content on the account was not drafted or created by the SEC.  

The Hill also reached out to an X spokesperson for comment regarding the nature of the preliminary investigation, as well as whether the SEC account was eligible for two-factor authentication given its status as a verified government account.  

The incorrect post on Tuesday was removed roughly 30 minutes after it was posted. The account followed up with a post that stated the account was compromised and the agency had not approved the update.  

The false post was published as the SEC has been expected to announce the approval of bitcoin exchange-traded funds by Wednesday to comply with a federal court ruling.  

Updated: 3:16 p.m.