Advertisement
The U.S. Securities and Exchange Commission (SEC) revealed on Monday that a SIM swap attack was responsible for the breach of its official X account earlier this month. On January 9, an unidentified individual gained access to the @SECGov account, posting a fake announcement claiming the approval of the first-ever spot bitcoin exchange-traded funds. The incident triggered market movements, with bitcoin prices experiencing volatility.
The SEC stated that the unauthorized party obtained control of the SEC’s cell phone number associated with the account through a SIM swap attack. This type of attack involves transferring a phone number to another device without the owner’s permission, allowing the attacker to receive SMS messages and voice calls intended for the victim.
The individual, having access to the phone number, reset the account password. Since the SEC did not have two-factor authentication enabled, the SIM swap and subsequent password change were sufficient to gain full access to the agency’s account.
While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled at the staff’s request in July 2023 due to access issues. MFA was not re-enabled until after the account was compromised on January 9. The SEC clarified that it had the capability to re-enable two-factor authentication for their X account and was not dependent on X to do so.
X owner Elon Musk, who has had conflicts with the SEC, mocked the agency after the breach. The SEC emphasized that there is no evidence the unauthorized party gained access to its systems, data, devices, or other social media accounts.
The agency is collaborating with law enforcement, including the SEC’s Office of Inspector General, the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice, and the SEC’s Division of Enforcement, to investigate the incident and determine how the attacker convinced the telecom carrier to change the SIM for the account. The SEC also stated its commitment to ensuring the security of its social media accounts.