Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
It’s a bad day when anyone gets hacked. But it’s an even worse day when it’s a federal agency of the United States of America.
The Securities and Exchange Commission’s (SEC) account was compromised on X, formerly known as Twitter, on Jan. 9, with the hackers writing that exchange-traded funds had been approved. The SEC did announce the approval of 11 tradable spot bitcoin exchange-traded funds (ETFs) a day later, but the damage had already been done. As of Friday, Bitcoin had dropped around 6%, with trades at nearly $44,000.
“I would say I did see this coming,” Rachel Tobac, a self-identified “friendly hacker” said of the SEC hack. “Unfortunately, there’s a lot of reasons why these types of attacks happen…We see account takeovers happen all the time, especially in the crypto space on Twitter.”
IT Brew caught up with Tobac—the co-founder and CEO of SocialProof Security in San Francisco, California—to chat about the hack and to further dive into a few ways users can prevent account takeover on X.
Remove your phone number from X—and other accounts of value
This helps prevent SIM swapping, in which a malicious actor could take over your phone number by calling your telephone company, pretending to be you, and requesting that the company switch your number to their SIM card.
“A lot of users don’t realize that when they went through the verification process, the phone number was then stored on their account. Now Twitter has this kind of insecure way of allowing you to reset your password,” she said. “Our phone number, unfortunately, is the center of our digital lives in many cases, but we don’t have control over what they do with that.”
Enable multi-factor authentication
On March 20, X changed their policy on two-factor authentication, leaving users who had text message-based 2FA enabled unprotected—unless they were subscribed to Twitter Blue.
“This is kind of unprecedented,” she said. “We’ve never seen another organization require payment for a basic security tool.” Even so, due to the risk of SIM-swapping, Tobac still by and large recommends users turn on app-based MFA instead of 2FA. She encourages users to also enable MFA on any third-party apps, like Sprout Social and Hootsuite.
Use a long, random, and unique password
OK, you don’t have to go with $upercalifragilicious3xpiaLid0ciouS, but Tobac says passwords on X and any connected third-party accounts should be long, random, and unique. Users can opt for a password manager to keep track of all of their unique concoctions.
“Using a long, random, and unique password will raise the bar for attackers and make it harder for them to get into your account…If you’re able to memorize your password for your account, it’s likely that it’s guessable or findable in a data breach for an attacker,” she wrote on X.