SEC’s X account experienced a SIM swap attack, causing significant concern and highlighting vulnerabilities in the agency’s security measures. Surprisingly, the US Securities and Exchange Commission admitted that the two-factor authentication on the X account had been disabled since July 2023, providing an opportunity for unauthorized access.
During this breach, an unknown individual managed to access the SEC’s official X account and even posted a fraudulent announcement about the approval of spot bitcoin ETFs. The false post remained visible for approximately 15 minutes before SEC Chair Gary Gensler took to his personal account to reveal the compromise.
The SEC explained that the disabling of multi-factor authentication was requested by X support after encountering difficulties accessing the account. However, the agency promptly re-enabled MFA after the breach occurred on January 9. Currently, MFA is enabled for all SEC social media accounts that offer this additional security layer.
The hacker successfully exploited the account through a SIM swap, a technique whereby a phone number is transferred to another device without proper authorization. Interestingly, the unauthorized access was achieved through the telecom carrier, rather than any SEC systems. Fortunately, the SEC found no evidence of the attacker gaining access to their systems, data, devices, or other social media accounts.
To investigate and bring the perpetrator to justice, the SEC is working in collaboration with the Federal Bureau of Investigation, Homeland Security, the US Department of Justice, and its own Division of Enforcement. The involvement of these agencies underscores the seriousness of this incident and the need for swift action. Additionally, the statement released by the SEC highlights the ongoing investigation into how the attacker convinced the carrier to change the SIM for the account and how they obtained the associated phone number.
This alarming breach serves as a reminder of the importance of robust security measures and the need for constant vigilance in protecting sensitive information. The SEC will undoubtedly learn valuable lessons from this incident and implement stronger security protocols moving forward.