This week, the United States Securities and Exchange Commission (SEC) suffered an embarrassing—and market-moving—breach wherein a hacker gained access to its X social media account and printed pretend details about a highly anticipated SEC announcement associated to bitcoin. The company regained management of its account and deleted the put up in below an hour, however the state of affairs is troubling, particularly on condition that the outstanding and well-respected safety agency Mandiant, which is owned by Google, had its X account compromised in an identical incident final week.

Details are nonetheless rising about precisely what occurred in every case, however there are widespread threads that made the account takeovers doable—and there are methods to guard your self.

Crucially, each accounts had the digital safety often known as “two-factor authentication” disabled on the time of the takeovers. Also often known as 2FA, the protection requires a rotating numeric code or bodily dongle along with an individual’s login credentials, so the whole lot is not resting on only a username and password. The SEC has not but stated whether or not it had two-factor turned off unintentionally on account of X’s February 2023 policy change, which made it so solely accounts paying for a Blue subscription would have entry to two-factor codes despatched through textual content message. Mandiant implied on Wednesday that this variation was the rationale it didn’t have the safety turned on for its X account, saying, “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected.”

Mandiant stated hackers have been in a position to guess the password defending its X account in “a brute force” assault. X itself said on Tuesday that the SEC account hack was the results of “an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.”

The two incidents lay out a punch record of crucial steps you may take to lock down your X account. First, be certain that your account is protected by a robust, distinctive password. Second, activate two-factor on your account or, should you assume you have already got it on, verify to verify. X’s transfer to make folks pay for a fundamental type of two-factor is problematic. It additionally created confusion as a result of the corporate prompted free customers to change away from SMS two-factor, however then seemingly merely turned off the safety altogether for individuals who didn’t. This seemingly left a bunch of customers in a state of affairs the place they assume they’ve two-factor authentication on, however really don’t.

To verify that you’ve got two-factor on, or to allow it for the primary time, log into your X account, go to Settings and privateness, then Security and account entry, Security, after which Two-factor authentication. (You also can click here if you’re already logged into X). On that display, you may select between utilizing two-factor authentication with a code-generating app or a bodily safety key. You also can generate backup codes on your account to log in to X even should you lose entry to your second issue.

Finally, verify that there is not a telephone quantity linked to your X account that can be utilized for account restoration. Twitter makes use of telephone numbers to “verify” high-profile accounts and in addition gives a function referred to as “Additional password protection,” by which “you must provide either the phone number or email address associated with your account in order to reset your password.” It appears, although, that by having a telephone quantity related to its X account, the SEC was placing itself at larger danger, as a result of attackers may acquire management of the account by first taking on the related telephone quantity utilizing an attack known as a SIM swap.

“Remove your phone number from Twitter altogether to ensure you avoid the SIM-swap threat with Twitter’s risky text-message-based password reset flow,” says Rachel Tobac, a longtime account compromise researcher and CEO of SocialProof Security. She provides that X customers ought to “activate 2FA—I like to recommend app-based on the very least—and guarantee you’ve got a robust password on the account.”

Though X has made it more convoluted to enable strong account security, it’s worth learning from the SEC and Mandiant’s mistakes.