Partner content
Mandiant, SEC lose control of X accounts without 2FA
Upon review, Google’s cybersecurity operation at Mandiant has determined it temporarily lost control of its X account to cryptocurrency drainer malware operators on Jan. 3 because it didn’t have two-factor authentication set up.
Effective March 20, 2023, only paid, premium subscribers to X (formerly Twitter) have access to 2FA.
It’s an embarrassing admission that experts say is a sign of the strain cybersecurity teams are under to keep a crushing onslaught of cyberattacks at bay with a shrinking pool of resources and talent to meet the challenge. If it can happen to Mandiant, it can happen anywhere, they warn.
“Normally, 2FA would have mitigated this, but due to some team transitions and a change to X’s 2FA policy, we were not adequately protected,” is a statement the Mandiant team certainly never wanted to have to compose, but nonetheless it was posted on X on Jan. 10. “We’ve made changes to our process to ensure this doesn’t happen again.”
X’s 2FA Upcharge
In a separate high-profile incident on Jan. 9, the X account operated by the Securities and Exchange Commission (SEC) was hijacked to post a fake announcement that the regulator had approved exchange traded funds (ETFs), which despite being taken down in less than 20 minutes gained 1 million views and drove the value of Bitcoin up by 5%.
In this instance, X put out a statement that the @SECGov account was accessed by a compromised phone number associated with the account. The statement also noted the SEC did not have 2FA enabled on the account.
To read the complete article, visit Dark Reading.
