Mandiant, SEC Lose Control of X Accounts Without 2FA

Crypto hacks on Mandiant and SEC X accounts are the predictable result of the social media platform's upcharge for basic cybersecurity protections, experts say.

Person holding a cellphone and looking a laptop screen
Source: Techa Tungateja via Alamy Stock Photo

Upon review, Google's cybersecurity operation at Mandiant has determined it temporarily lost control of its X account to cryptocurrency drainer malware operators on Jan. 3 because it didn't have two-factor authentication set up.

Effective March 20, 2023, only paid, premium subscribers to X (formerly Twitter) have access to 2FA that's enabled via SMS.

It's an embarrassing admission that experts say is a sign of the strain cybersecurity teams are under to keep a crushing onslaught of cyberattacks at bay with a shrinking pool of resources and talent to meet the challenge. If it can happen to Mandiant, it can happen anywhere, they warn.

"Normally, 2FA would have mitigated this, but due to some team transitions and a change to X's 2FA policy, we were not adequately protected," is a statement the Mandiant team certainly never wanted to have to compose, but nonetheless it was posted on X on Jan. 10. "We've made changes to our process to ensure this doesn't happen again."

X's 2FA Upcharge

In a separate high-profile incident on Jan. 9, the X account operated by the Securities and Exchange Commission (SEC) was hijacked to post a fake announcement that the regulator had approved exchange traded funds (ETFs), which despite being taken down in less than 20 minutes gained 1 million views and drove the value of Bitcoin up by 5%.

In this instance, X put out a statement that the @SECGov account was accessed by a compromised phone number associated with the account. The statement also noted the SEC did not have 2FA enabled on the account.

While cybersecurity teams are focused on protecting enterprise "crown jewels" threat actors have pounced on the tweak to X's 2FA premium pricing (which affects the SMS version of 2FA, but not authenticator apps or keys).

"It’s clear that cybercriminals are taking advantages of the X changes in 2023 to multifactor authentication (MFA) via SMS, which forced users to pay for this security functionality or use app-based MFA," Claude Mandy, chief evangelist, data security, at Symmetry Systems explains. "Unfortunately, as I predicted at the time, it’s clear that organizations are not prepared to pay to use a less secure form of authentication like SMS MFA but also can’t be bothered to download a free authentication app for their social media management accounts."

Missing the Small Stuff is Easy

While enterprise security teams are focused on preventing sophisticated attacks, it can be easy for even the sharpest teams to overlook the simple stuff, according to Bud Broomhead, Viakoo's CEO.

"The shortage of cybersecurity professionals at a time when threats are rising in volume and velocity is likely causing organizations to take shortcuts," Broomhead says. Similar to how cybersecurity companies often have more vulnerabilities in their code than other forms of software, due to time pressures and cutting-edge code development, security firms like Mandiant may be so focused on more serious or complex exploits that the basics — like setting up 2FA on an X account — simply is missed."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights