Mandiant, SEC Lose Control of X Accounts Without 2FA

Crypto hacks on Mandiant and SEC X accounts are the predictable result of the social media platforms upcharge for basic cybersecurity protections, experts say.

Upon review, Googles cybersecurity operation at Mandiant has determined it temporarily lost control of its X account to cryptocurrency drainer malware operators on Jan. 3 because it didnt have two-factor authentication set up.
Effective March 20, 2023, only paid,
premium subscribers to X (formerly Twitter) have access to 2FA
thats enabled via SMS.
Its an embarrassing admission that experts say is a sign of the strain cybersecurity teams are under to keep a crushing onslaught of cyberattacks at bay with a shrinking pool of resources and talent to meet the challenge. If it can happen to Mandiant, it can happen anywhere, they warn.
Normally, 2FA would have mitigated this, but due to some team transitions and a change to Xs 2FA policy, we were not adequately protected, is a statement the Mandiant team certainly never wanted to have to compose, but nonetheless
it was posted on
X on Jan. 10. Weve made changes to our process to ensure this doesnt happen again.
In a separate high-profile incident on Jan. 9, the X account operated by the Securities and Exchange Commission (SEC) was hijacked to post a fake announcement that the regulator had approved exchange traded funds (ETFs), which despite being taken down in less than 20 minutes gained 1 million views and
drove the value of Bitcoin up by 5%
.
In this instance, X put out a statement that the @SECGov account was accessed by a compromised phone number associated with the account. The statement also noted the SEC did not have 2FA enabled on the account.
While cybersecurity teams are focused on protecting enterprise crown jewels threat actors have pounced on the tweak to Xs 2FA premium pricing (which affects the SMS version of 2FA, but not authenticator apps or keys).
It’s clear that cybercriminals are taking advantages of the X changes in 2023 to multifactor authentication (MFA) via SMS, which forced users to pay for this security functionality or use app-based MFA, Claude Mandy, chief evangelist, data security, at Symmetry Systems explains. Unfortunately, as I predicted at the time, it’s clear that organizations are not prepared to pay to use a less secure form of authentication like SMS MFA but also can’t be bothered to download a free authentication app for their social media management accounts.
While enterprise security teams are focused on preventing sophisticated attacks, it can be easy for even the sharpest teams to overlook the simple stuff, according to Bud Broomhead, Viakoos CEO.
The shortage of cybersecurity professionals at a time when threats are rising in volume and velocity is likely causing organizations to take shortcuts, Broomhead says. Similar to how cybersecurity companies often have more vulnerabilities in their code than other forms of software, due to time pressures and cutting-edge code development, security firms like Mandiant may be so focused on more serious or complex exploits that the basics — like setting up 2FA on an X account — simply is missed.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Mandiant, SEC Lose Control of X Accounts Without 2FA