At 4:11 pm ET on January 9, a post was published to the SEC’s X account announcing the approval of spot bitcoin ETFs, a type of financial product that would allow people to invest in the crypto asset through a regular brokerage. By 4:26 pm, SEC chair Gary Gensler had issued a retraction and said the agency’s account had been “compromised,” and that an “unauthorized tweet was posted.” Apparently Multi-Factor Authentication was not enabled on the account. The damage had already been done. Bitcoin prices swung up and down over the next hours and days.
For business leaders, this is a valuable lesson. Key accounts should be verified and secured as much as possible. Here’s a brief list of accounts to secure.
- Business Leader Network & Email Accounts – especially CEO, CFO, and anyone authorized to make financial transactions or provide media/press updates.
- Banking/Credit Card Accounts
- Company/Business Leader Social Media Accounts
- Administrative Accounts for Key Systems – you might want to verify with your IT team that this has been done, and don’t forget to ask for proof
In this case, the hackers took control of the SEC’s X account by taking over a phone number associated with the X account, in a hack called “SIM Swapping“. That leads to more lessons.
- Whenever possible, use an authenticator app or hardware key instead of SMS for MFA.
- Don’t link your phone number to your X account (or any important account).
Want to learn more about how to secure your business? Reach out for a complimentary Cybersecurity Discovery Call.