Learn from the social media breach at SEC

Martin Shelton

Principal Researcher

Screenshot of @SECGov’s X post describing breach of their account.

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Last Tuesday, the U.S. Securities and Exchange Commission’s account on X, formerly known as Twitter, was hijacked and used to post about the approval of a Bitcoin exchange-traded fund. In a statement, X said that the account was taken over after an attacker got hold of the phone number associated with the account. Additionally, it said the account did not have two-factor authentication enabled, which could have prevented the attacker from accessing the account without the appropriate secondary credentials. This comes against the backdrop of a number of high-profile account breaches on X that involve cryptocurrency schemes, including the breach of Mandiant, a prominent cybersecurity outfit owned by Google. Read more about the SEC breach here.

Get Notified. Take Action.

What you can do

  • This could have happened to anyone, whether an individual or a well-resourced organization. In this case, the attackers presumably managed to hijack the SEC’s account, after getting the phone number associated with it, by recovering the account using the usual “I forgot my password” process.
  • You could optionally remove your phone number to disable it for account recovery purposes, but some organizations depend on a phone number. To get ahead of this risk, whenever possible, call the customer service at your phone company and ask them to add a “number transfer PIN” to your account, so no one can transfer your number to another device without permission. This is not a guarantee; our phone systems have a lot of flaws, but every little bit helps. Note that some service providers will also allow you to add a PIN at a store or from their app.
  • Store this PIN somewhere safe, like a password manager. While you’re at it, use a password manager to create and store more secure, unique passwords. Read our guide to using password managers.
  • Enable two-factor authentication on your X account, and everywhere you can, but particularly on the primary email address that you may use to recover other accounts. Read our guide to learn how to set it up.
  • For added safety, enable "password reset protect" in your X security settings. This will require X to verify that you can access the recovery email or phone number when conducting a password reset.
  • Attackers are creative and may find other ways in, but this is the playbook that will address the most common circumstances. Make them sweat for it. If you work with a media organization and want to learn more about how to lock down your accounts, reach out to our digital security training team.

Updates from my team

  • Our director of digital security, Harlo Holmes, appeared on the Digital Dada Podcast to talk about security nihilism — the feeling you are powerless to do anything about your security. She talks about the cultural specificity of overcoming security nihilism and practical security advice from her experience in the field. Check it out here.

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Apple's password app

In the hope of simplifying how customers can log into apps and websites, Apple has announced it will offer a new Passwords app in its upcoming versions of iOS 18, iPadOS 18, and macOS 15.

Oops, all breaches!

Data breach notification service “Have I Been Pwned?” has added the login information associated with 361 million email addresses. Have I Been Pwned owner Troy Hunt says as many as 151 million of these unique email addresses have never been seen in his database before. The website boasts tracking over 13.5 billion breach accounts. Some of these credentials are reportedly harvested from users’ devices infected with information-stealing malware.

Slack trains AI models on user data

Over this past week, Slack published a blog post defending its privacy practices following widespread criticism over its use of customer data to train its global AI models. At the moment, organizations are required to opt out to prevent their messages, content, and files from being mined to develop Slack’s AI.