It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Last Tuesday, the U.S. Securities and Exchange Commission’s account on X, formerly known as Twitter, was hijacked and used to post about the approval of a Bitcoin exchange-traded fund. In a statement, X said that the account was taken over after an attacker got hold of the phone number associated with the account. Additionally, it said the account did not have two-factor authentication enabled, which could have prevented the attacker from accessing the account without the appropriate secondary credentials. This comes against the backdrop of a number of high-profile account breaches on X that involve cryptocurrency schemes, including the breach of Mandiant, a prominent cybersecurity outfit owned by Google. Read more about the SEC breach here.

What you can do

  • This could have happened to anyone, whether an individual or a well-resourced organization. In this case, the attackers presumably managed to hijack the SEC’s account, after getting the phone number associated with it, by recovering the account using the usual “I forgot my password” process.
  • You could optionally remove your phone number to disable it for account recovery purposes, but some organizations depend on a phone number. To get ahead of this risk, whenever possible, call the customer service at your phone company and ask them to add a “number transfer PIN” to your account, so no one can transfer your number to another device without permission. This is not a guarantee; our phone systems have a lot of flaws, but every little bit helps. Note that some service providers will also allow you to add a PIN at a store or from their app.
  • Store this PIN somewhere safe, like a password manager. While you’re at it, use a password manager to create and store more secure, unique passwords. Read our guide to using password managers.
  • Enable two-factor authentication on your X account, and everywhere you can, but particularly on the primary email address that you may use to recover other accounts. Read our guide to learn how to set it up.
  • For added safety, enable "password reset protect" in your X security settings. This will require X to verify that you can access the recovery email or phone number when conducting a password reset.
  • Attackers are creative and may find other ways in, but this is the playbook that will address the most common circumstances. Make them sweat for it. If you work with a media organization and want to learn more about how to lock down your accounts, reach out to our digital security training team.

Updates from my team

  • Our director of digital security, Harlo Holmes, appeared on the Digital Dada Podcast to talk about security nihilism — the feeling you are powerless to do anything about your security. She talks about the cultural specificity of overcoming security nihilism and practical security advice from her experience in the field. Check it out here.

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin