- SEC’s X account was compromised through a “SIM swap” attack, hijacking the linked phone number.
- Multi-factor authentication (MFA) was disabled at the SEC’s request in July 2023.
- Investigation ongoing, focusing on attack method and attacker’s knowledge of phone number.
In a recent update on the security breach of the SEC’s official X account (@SECGov), the regulator disclosed that unauthorized access occurred due to a SIM swap attack and a disabled multi-factor authentication (MFA) feature.
During the ongoing investigation, the SEC revealed that the unauthorized party gained control of the SEC phone number linked to the account through a “SIM swap” attack. By exploiting this method, the unauthorized party bypassed password reset protections and took control of the @SECGov X account.
For those unfamiliar, SIM swapping is a technique where an attacker tricks a telecom carrier into transferring a phone number to a new device. This allows the attacker to receive calls and texts meant for the original owner.
The SEC however clarified that the “access to the phone number occurred via the telecom carrier, not via SEC systems.” The SEC assured the public that despite the unauthorized access, its systems, data, devices, and other social media accounts remain secure.
The SEC underscored that law enforcement is now actively investigating both how the attacker convinced the telecom carrier to perform the SIM swap and how they identified the specific phone number associated with the @SECGov X account.
Furthermore, the statement revealed that MFA, an additional security layer, was disabled on the account in July 2023 at the request of SEC staff due to access issues. This critical security measure was only re-enabled after the hack, leaving the account vulnerable until then.
The unauthorized party, exploiting the compromised X account, made false announcements on January 9 regarding the Commission’s approval of spot bitcoin exchange-traded funds.
Acknowledging the incident’s impact on investor confidence and market stability, Chair Gary Gensler stated, “The SEC takes its cybersecurity obligations seriously.” The agency confirmed ongoing coordination with various law enforcement and federal oversight entities including the SEC’s OIG, FBI, CISA, CFTC, DOJ, and the SEC’s own Division of Enforcement, to investigate the attack and its implications.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.