Do the two hacks of Mandiant’s X accounts and the SEC have anything to do with the change around double authentication introduced by the social network last March? Experts wonder about a link, the two hacks having been enabled thanks to the absence of activation of double authentication.
On January 3, it was first of all the cybersecurity company Mandiant which temporarily lost control of its account on the social network. Then, a few days later, it was the SEC, the American stock market policeman, who had his account hacked, giving this little series the beginnings of a resemblance to the hacking disaster of July 2020.
These two hacks have one thing in common, the absence of double authentication, a protection which could have prevented the accounts from being hacked. As Mandiant admitted, the double authentication of their account was in fact not activated, the fault of a transition phase in the teams, the Google Cloud subsidiary justified itself laconically. According to the company’s investigations, the password was likely broken by a brute force attack.
Troublesome affair
The social network statement the absence of activation of double authentication on behalf of the SEC. For Elon Musk’s company, this hack is therefore due to the loss of control of the telephone number associated with the account. Which suggests an attack by SIM-swapping, these hijackings of telephone lines making it possible to then take control of accounts.
If at first glance these two hacks could raise the question of the negligence of the account owners, the affair is in reality very embarrassing for X. After having cut its workforce, including its security teams, the social network is adrift since its acquisition by Elon Musk in October 2022. Last March, it reshuffled the cards around double authentication.
For cost reasons, X then indicated that it would now reserve this functionality, for that based on sending an SMS, for its paying subscribers. Other multi-factor authentication methods, via a security key or an application, more secure than those by SMS, remained accessible free of charge.
Vulnerable accounts
If the intention was understandable, the method was clearly not the right one. As ZDNET noted at the time, the firm had in fact decided to automatically deactivate double authentication by SMS within thirty days. A very bad way to operate. This certainly left accounts vulnerable to brute force attacks, especially low-active users, who were least likely to notice this policy change.
According to Mandiant, the attackers of his X account wanted to attract Internet users to a phishing page harboring a drainer, these malicious programs that can siphon crypto-assets.
As for the SEC hack, it looks like a particularly audacious attempt at price manipulation, with a fake tweet announcing in advance the SEC’s approval of a bitcoin stock ETF.