This week, the United States Securities and Exchange Commission suffered an embarrassing-and market-moving-breach in which a hacker gained access to its X social media account and published fake information about a highly anticipated SEC announcement related to bitcoin.
The agency regained control of its account and deleted the post in under an hour, but the situation is troubling, especially given that the prominent and well-respected security firm Mandiant, which is owned by Google, had its X account compromised in a similar incident last week.
Details are still emerging about exactly what happened in each case, but there are common threads that made the account takeovers possible-and there are ways to protect yourself.
Also known as 2FA, the defense requires a rotating numeric code or physical dongle in addition to a person's login credentials, so everything isn't resting on just a username and password.
The SEC has not yet said whether it had two-factor turned off accidentally as a result of X's February 2023 policy change, which made it so only accounts paying for a Blue subscription would have access to two-factor codes sent via text message.
The two incidents lay out a punch list of the most important steps you can take to lock down your X account.
First, ensure that your account is protected by a strong, unique password.
Second, turn on two-factor for your account or, if you think you already have it on, check to make sure.
X's move to make people pay for a basic form of two-factor is problematic.
It also created confusion because the company prompted free users to switch away from SMS two-factor, but then seemingly simply turned off the protection altogether for those who didn't.
This likely left a group of users in a situation where they think they have two-factor authentication on, but actually don't.
To confirm that you have two-factor on, or to enable it for the first time, log into your X account, go to Settings and privacy, then Security and account access, Security, and then Two-factor authentication.
On that screen, you can choose between using two-factor authentication with a code-generating app or a physical security key.
You can also generate backup codes for your account to log in to X even if you lose access to your second factor.
Finally, check that there isn't a phone number linked to your X account that can be used for account recovery.
Though X has made it more convoluted to enable strong account security, it's worth learning from the SEC and Mandiant's mistakes.
This Cyber News was published on www.wired.com. Publication date: Fri, 12 Jan 2024 18:28:06 +0000