The hack of a social media account used by the Securities and Exchange Commission is prompting both internal and external investigations into how the security breach occurred and whether anyone tried to profit from it, said the commission and several legal experts.
The S.E.C. said in a statement on Wednesday that it was coordinating an investigation into the hack that occurred the prior day “with appropriate law enforcement entities, including the S.E.C.’s Office of the Inspector General and the F.B.I.”
John Reed Stark, a former S.E.C. enforcement lawyer and regulatory consultant on cybersecurity, said the commission’s inspector general would need to investigate how a hacker was able to access the S.E.C.’s official account on X — formerly Twitter — to post a false message that the commission had approved several Bitcoin investment products.
“This is, unfortunately, a glaring failure of basic cyber-hygiene,” Mr. Stark said.
He also said federal prosecutors would very likely open a separate investigation into whether the hack was part of an attempt to profit from changes in Bitcoin’s price spiking. Mr. Stark added that it did not matter whether the hackers made any money from trading during the 15 minutes or so the post was online, but whether they had the criminal intent to do so.
Daniel Hawke, a partner at the law firm Arnold & Porter and a former director of the S.E.C.’s market abuse unit, said the fake post had all the hallmarks of an attempt to “manipulate the crypto markets.”
Some in Congress also want to learn more about the hack and the S.E.C.’s diligence. The House Financial Services Committee on Wednesday afternoon sent a letter to Gary Gensler, the S.E.C.’s chair, asking for a “briefing” on the incident no later than Jan. 17.
A spokesman for the Justice Department declined to comment. A spokesman for the S.E.C.’s inspector general said, “We are currently evaluating the circumstances and reviewing the S.E.C.’s statements.”
In a post on Tuesday night, X said that the hacker had used a phone number associated with the S.E.C. account, and that the government agency did not have the two-factor authentication security feature in place to prevent unauthorized access.
Last year, Elon Musk, X’s owner, announced changes to how users can deploy two-factor authentication to secure access to their accounts. It’s not clear how the S.E.C. responded to those security changes.
This is not the first time that the S.E.C. has been hacked.
In 2017, the S.E.C. disclosed that hackers had breached the commission’s Edgar filing system — the computer database that public companies and investment funds use to make regulatory filings and disclose potentially market-moving information to investors.
The breach prompted a major law enforcement inquiry; in 2019, federal prosecutors charged two Ukrainian nationals with hacking into the database and stealing secret information that they could either trade on or sell to others.
In September, the S.E.C. inspector general’s office issued a letter saying that the commission had “made progress toward implementing” governmentwide cybersecurity standards but had not completed all the required steps. The inspector general had asked the S.E.C. about the steps it had taken to protect “public-facing systems that support multifactor authentication.”
During cybersecurity awareness month, in October, Mr. Gensler, posted about the importance of digital security. “This is a reminder to secure your financial accounts as well as protect against identity theft and fraud,” he posted on X on Oct. 23. He listed several steps, including “set up multifactor authentication.”
In July, the S.E.C. adopted a rule that required public companies to promptly report cybersecurity incidents and disclose information annually on their cybersecurity risk management. In announcing the rule, Mr. Gensler said that “whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.”
The fake X post saying that the S.E.C. had approved several Bitcoin exchange-trade funds purported to have come from Mr. Gensler and included his photograph. Roughly 15 minutes after it appeared, Mr. Gensler said on his own X account that the post on the S.E.C. account was an “unauthorized tweet.”
The scam initially sent Bitcoin’s price surging before tumbling back.
Under Mr. Gensler, the S.E.C. has used its X account to post messages and video presentations to the investing public.
David Yaffe-Bellany contributed reporting.
