Learn from the social media breach at SEC

Martin Shelton

Principal Researcher

Screenshot of @SECGov’s X post describing breach of their account.

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Last Tuesday, the U.S. Securities and Exchange Commission’s account on X, formerly known as Twitter, was hijacked and used to post about the approval of a Bitcoin exchange-traded fund. In a statement, X said that the account was taken over after an attacker got hold of the phone number associated with the account. Additionally, it said the account did not have two-factor authentication enabled, which could have prevented the attacker from accessing the account without the appropriate secondary credentials. This comes against the backdrop of a number of high-profile account breaches on X that involve cryptocurrency schemes, including the breach of Mandiant, a prominent cybersecurity outfit owned by Google. Read more about the SEC breach here.

What you can do

  • This could have happened to anyone, whether an individual or a well-resourced organization. In this case, the attackers presumably managed to hijack the SEC’s account, after getting the phone number associated with it, by recovering the account using the usual “I forgot my password” process.
  • You could optionally remove your phone number to disable it for account recovery purposes, but some organizations depend on a phone number. To get ahead of this risk, whenever possible, call the customer service at your phone company and ask them to add a “number transfer PIN” to your account, so no one can transfer your number to another device without permission. This is not a guarantee; our phone systems have a lot of flaws, but every little bit helps. Note that some service providers will also allow you to add a PIN at a store or from their app.
  • Store this PIN somewhere safe, like a password manager. While you’re at it, use a password manager to create and store more secure, unique passwords. Read our guide to using password managers.
  • Enable two-factor authentication on your X account, and everywhere you can, but particularly on the primary email address that you may use to recover other accounts. Read our guide to learn how to set it up.
  • For added safety, enable "password reset protect" in your X security settings. This will require X to verify that you can access the recovery email or phone number when conducting a password reset.
  • Attackers are creative and may find other ways in, but this is the playbook that will address the most common circumstances. Make them sweat for it. If you work with a media organization and want to learn more about how to lock down your accounts, reach out to our digital security training team.

Updates from my team

  • Our director of digital security, Harlo Holmes, appeared on the Digital Dada Podcast to talk about security nihilism — the feeling you are powerless to do anything about your security. She talks about the cultural specificity of overcoming security nihilism and practical security advice from her experience in the field. Check it out here.

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Mozilla breaks into the anti-data broker game

Hundreds of data brokers aggregate and sell access to personal data, such as phone numbers, emails, addresses, and even purchasing habits collected through loyalty card programs, social media sites, apps, trackers embedded in websites, and more. Mozilla has a new monthly subscription service which automatically scans for your personal data on data broker websites, but there are other ways to make your data less easily searchable. Read more from the Digital Security Team.

Moving from passwords to passkeys

Instead of traditional passwords, where you log into a website with credentials that you know or store in a manager, a passkey is a credential that you store on your device, registered with an online account. Read more in our newsletter.

Journalists targeted with Pegasus yet again

Mercenary spyware firm NSO Group’s Pegasus spyware, designed to remotely access targeted smartphones, is marketed to governments around the world for the purposes of law enforcement and counterterrorism. But in the wild, we’ve seen governments repeatedly abuse this and similar spyware tools to infect journalists, spying on their most sensitive files, communications, and sources.