Based on current information, staff understands that, shortly after 4:00 pm ET on Tuesday, January 9, 2024, an unauthorized party gained access to the @SECGov X.com account by obtaining control over the phone number associated with the account. The unauthorized party made one post at 4:11 pm ET purporting to announce the Commission’s approval of spot bitcoin exchange-traded funds, as well as a second post approximately two minutes later that said “$BTC.” The unauthorized party subsequently deleted the second post, but not the first. Using the @SECGov account, the unauthorized party also liked two posts by non-SEC accounts. While SEC staff is still assessing the scope of the incident, there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.

Upon becoming aware of the incident, staff in the Office of Public Affairs posted to the official @garygensler X.com account at 4:26 pm ET, alerting the public that the @SECGov account had been compromised, an unauthorized post was made, and the Commission had not approved the listing and trading of spot bitcoin exchange-traded products. Staff deleted the first unauthorized post on the @SECGov account, un-liked the two liked posts, and, at 4:42 pm ET, made a new post on the @SECGov account stating that the account had been compromised. Staff also reached out to X.com for assistance in terminating the unauthorized access to the @SECGov account. Based on information currently available, staff believe that the unauthorized access to the account was terminated between 4:40 pm ET and 5:30 pm ET.

The SEC takes its cybersecurity obligations seriously. Commission staff are still assessing the impacts of this incident on the agency, investors, and the marketplace but recognize that those impacts include concerns about the security of the SEC’s social media accounts. The staff also will continue to assess whether additional remedial measures are warranted.

Staff are coordinating with appropriate law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, amongst others, in their investigations. The agency will provide updates on the incident as appropriate. Importantly, the Commission makes its actions public on the Commission’s website, http://www.sec.gov. The Commission does not use social media channels to make its actions public; social media posts only amplify announcements that are made on our website.

Bill Singer's Comment

According to Chair Gensler's January 12, 2024, Statement at https://www.sec.gov/news/statement/gensler-x-account, the alleged hack of "@SECGov X.com" occurred at 4:11 pm ET on January 9, 2024; and, further, the .gov-posted Statement asserts that the SEC's formal response manifested itself in this fashion.

Upon becoming aware of the incident, staff in the Office of Public Affairs posted to the official @garygensler X.com account at 4:26 pm ET, alerting the public that the @SECGov account had been compromised, an unauthorized post was made, and the Commission had not approved the listing and trading of spot bitcoin exchange-traded products. Staff deleted the first unauthorized post on the @SECGov account, un-liked the two liked posts, and, at 4:42 pm ET, made a new post on the @SECGov account stating that the account had been compromised. Staff also reached out to X.com for assistance in terminating the unauthorized access to the @SECGov account. Based on information currently available, staff believe that the unauthorized access to the account was terminated between 4:40 pm ET and 5:30 pm ET.

As such, the SEC Office of Public Affairs announced the unauthorized post (the hack) via a post "to the official @garygensler X.com account at 4:26 pm ET, alerting the public that the @SECGov account had been compromised . . ."

Interesting bit of phrasing, no? The @garygensler X .com account is "official." Official? Which raises the question as to what the difference in "official" is when it comes to @garygensler and @SECGov versus sec.gov.  Apparently, the SEC doesn't quite see any concerns or issues when it deems Chair Gensler's and the SEC-itself's Twitter / X accounts as rising to the level of sec.gov. Should the SEC really be talking about Twitter / X accounts as official when that private-sector social media company is regulated by the SEC -- and the relationship among the federal regulator, the private company X, and the private corporate executive Musk is often contentious?

2013 SEC Netflix/Hastings Report

Likely forgotten by many industry pundits, is this decade-old matter: Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings (SEC Report of Investigation; '34 Act Rel. No. 69297 / April 2, 2013)
https://www.sec.gov/files/litigation/investreport/34-69279.pdf, which was prompted by this event [Ed: footnotes omitted]:

The Division of Enforcement has investigated whether Netflix, Inc. (“Netflix”) and its Chief Executive Officer, Reed Hastings (“Hastings”) violated Regulation FD (17 C.F.R. §243.100 et seq.) and Section 13(a) of the Securities Exchange Act of 1934 (“Exchange Act”). The Commission has determined not to pursue an enforcement action in this matter. The investigation concerned Hastings’s use of his personal Facebook page, on July 3, 2012, to announce that Netflix had streamed 1 billion hours of content in the month of June. Neither Hastings nor Netflix had previously used Hastings’s personal Facebook page to announce company metrics, and Netflix had not previously informed shareholders that Hastings’s Facebook page would be used to disclose information about Netflix. The post was not accompanied by a press release, a post on Netflix’s own web site or Facebook page, or a Form 8-K.

The investigation raised questions regarding: 1) the application of Regulation FD to Hastings’s post; and 2) the applicability of the Commission’s August 2008 Guidance on the Use of Company Web Sites to emerging technologies, including social networking sites, such as Facebook. 

at Page 1 of the 2013 SEC Report of Investigation

Personal Social Media Sites of Individuals

Among the issues considered in the 2013 Netflix/Hastings Report was this aspect of the use of a personal social media site to disclose material corporate information [Ed: footnotes omitted]::

Although every case must be evaluated on its own facts, disclosure of material, nonpublic information on the personal social media site of an individual corporate officer, without advance notice to investors that the site may be used for this purpose, is unlikely to qualify as a method “reasonably designed to provide broad, non-exclusionary distribution of the information to the public” within the meaning of Regulation FD.This is true even if the individual in question has a large number of subscribers, friends, or other social media contacts, such that the information is likely to reach a broader audience over time. Personal social media sites of individuals employed by a public company would not ordinarily be assumed to be channels through which the company would disclose material corporate information. Without adequate notice that such a site may be used for this purpose, investors would not have an opportunity to access this information or, in some cases, would not know of that opportunity, at the same time as other investors.

at Pages 7 - 8 of the 2013 SEC Report of Investigation

@GaryGensler and @ SECGov and sec.gov

As posted on the SEC's "Speeches and Statements" page at https://www.sec.gov/news/speeches-statements, the January 12, 2024 Statement at https://www.sec.gov/news/statement/gensler-x-account references "@GaryGensler." Note that the January 2024 SEC Statement is posted on "www.sec.gov . . ." and the link to the statement is posted on "www.sec.gov . . .;" however, the cited "@GaryGensler" post is made on a non-SEC site of "https:''twitter.com/ . . ." Using that handles as a search term, you are taken to this page https://twitter.com/GaryGensler/status/1744833049064288387. SEC Chair Gensler's cited Twitter / X post (which references "@SECGov") appears as follows:

Accordingly, the @GaryGensler tweet admonishes that the "@SECGov twitter account was compromised . . ." but what, exactly, is the public to make of the differences between content posted on "sec.gov" and, in contradistinction, content posted on "@SECGov" and content posted on "@GaryGensler"? Moreover, should the SEC be fostering such confusion that the private "twitter account," which is housed on what has morphed into X  or Twitter/X is somehow an "official" United States government site?

Consider how the @GaryGensler page actually displays online under the heading "https://twitter.com/GaryGensler":

A Federal Disclaimer Disclaiming a Social Media Disclaimer?

In the spirit of asking more questions to foster more careful deliberation about the use of social media by government figures and potentially imbuing such social media sites with the appearance of a formal, governmental status, consider what the above "Disclaimer" asserts:

Frankly, I find the entire SEC's social media presence to be both troubling and potentially dangerous. The "Disclaimer" link to the Twitter/X pages sends the reader back to an SEC.gov webpage at https://www.sec.gov/page/sec-social-media-disclaimer. The "SEC Social Media Disclaimer," which is on an sec.gov page warns that social media content expresses only the "author's views." Further, the sec.gov disclaimer states that the author's views are not approved or endorsed by the Commission. What an incredibly bit of circular illogic! A disclaimer posted on a private Twitter/X page sends the reader to a disclaimer on an sec.gov governmental site page, but the official governmental disclaimer says that the views on the social media page are not approved/endorsed by the government agency. So . . . like, y'know, just what the hell are the @GaryGensler and @SECGov Twitter/X pages? Private content? Public content? Opinion? Government sanctioned posts?

I would urge the SEC to re-visit its 2013 Netflix/Hastings policy and better incorporate that position with the regulator's 2024 use of social media. Clearly, the emphasis must be on avoiding the use of a non-governmental social media page as the first resort to announcing material regulatory events involving the federal regulator.   

UPDATE January 23, 2024

And despite it all (or perhaps in spite of it all?), the SEC still doesn't quite get it. As a federal regulator, the SEC has an obligation to provide transparency in its dealings and to clearly and unequivocally offer public dissemination of its conduct -- even when it's "misconduct." Instead, the SEC plays a shell game when it comes to disclosing the @SECGov / Twitter / X account hack.

Despite the SEC having a "Speeches and Statements" page on its sec.gov website at https://www.sec.gov/news/speeches-statements, as of January 23, 2024, there is still no posting on that page of the latest revelation involving what is now generally referred to as the "SIM swap" hack. Perhaps a bit too cleverly, the SEC seems to think that transparent, public disclosure is best accomplished by issuing a so-called "Media" statement but not printing out that very statement on, well, y'know, where else? -- on the sec.gov "Speeches and Statements" page. Instead, the SEC apparently created a new, dedicated page titled: "SECGOV X Account" but there's virtually no way to find that listed on the official statements page. Moreover, see if you can find it via a normal online search. Good luck with that! Even more cynically, is that the dedicated page references purported "Statement by an SEC Spokesperson to the Media" for several dates but never posted any of those statement on the, yeah, you got it, on the Speeches and Statements page and still doesn't name the name of the Spokesperson(s).

My what an inconvenient truth it must be for the SEC to go to such lengths to impede the public's efforts to simply and easily find the various SIM swap hack statements. I'm sure that any number of clever folks at the regulator will argue that I'm making much ado about nothing. What I will direct those same hecklers to is this disclosure on the Speeches and Statements page explaining the nature of the content to be posted there: "Speeches and statements (including testimony and video transcripts) given by the Chair, Commissioners, and SEC staff."

And where the hell on that page is the statement by Chair Gensler or any member of the SEC staff concerning the recent revelation of the SIM swap hack?

Here's what they have buried on some far flung page on their ponderous site: