Mandiant, SEC lose control of X accounts without 2FA

Becky Bracken, Dark Reading

January 16, 2024

2 Min Read
Mandiant, SEC lose control of X accounts without 2FA

Upon review, Google’s cybersecurity operation at Mandiant has determined it temporarily lost control of its X account to cryptocurrency drainer malware operators on Jan. 3 because it didn’t have two-factor authentication set up.

Effective March 20, 2023, only paid, premium subscribers to X (formerly Twitter) have access to 2FA.

It’s an embarrassing admission that experts say is a sign of the strain cybersecurity teams are under to keep a crushing onslaught of cyberattacks at bay with a shrinking pool of resources and talent to meet the challenge. If it can happen to Mandiant, it can happen anywhere, they warn.

“Normally, 2FA would have mitigated this, but due to some team transitions and a change to X’s 2FA policy, we were not adequately protected,” is a statement the Mandiant team certainly never wanted to have to compose, but nonetheless it was posted on X on Jan. 10. “We’ve made changes to our process to ensure this doesn’t happen again.”

X’s 2FA Upcharge

In a separate high-profile incident on Jan. 9, the X account operated by the Securities and Exchange Commission (SEC) was hijacked to post a fake announcement that the regulator had approved exchange traded funds (ETFs), which despite being taken down in less than 20 minutes gained 1 million views and drove the value of Bitcoin up by 5%.

In this instance, X put out a statement that the @SECGov account was accessed by a compromised phone number associated with the account. The statement also noted the SEC did not have 2FA enabled on the account.

To read the complete article, visit Dark Reading.

About the Author

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community