SEC Negligently Disabled Additional Security Measures, Resulting in Hacker Breaching X Account for 7 Months
In a concerning turn of events, the U.S. Securities and Exchange Commission (SEC) recently fell victim to a security breach that allowed a hacker to gain unauthorized access to one of the agency’s cell phones linked to its X account. The hacker managed to exploit a “SIM swap” attack, taking control of the cell phone and posting false information regarding the approval of spot bitcoin exchange-traded funds (ETFs) before the official announcement by the SEC.
The SEC disclosed that it had disabled its multi-factor authentication for the X account as early as July 2023, leaving it vulnerable to cyber attacks for a staggering period of 7 months. The deactivation was supposedly due to difficulties in accessing the account, according to a spokesperson from the agency. The SEC, renowned for its emphasis on security and advisory role for investors, faced considerable embarrassment as a result of this security lapse.
While the hack exploited the vulnerability of the cell phone rather than the SEC’s internal systems, it raises serious concerns about the agency’s negligence in maintaining robust security measures. The SEC clarified that there is no evidence of the unauthorized party gaining access to their systems, data, devices, or other social media accounts. However, the identity of the telecom carrier that allowed the hacker to gain control of the phone number remains undisclosed.
Law enforcement agencies, including the Federal Bureau of Investigation, Department of Homeland Security, Commodity Futures Trading Commission, and the Department of Justice, are collaborating with the SEC to investigate the incident thoroughly. Questions surrounding how the unauthorized party convinced the telecom carrier to change the SIM for the account and how they identified the associated phone number are currently under scrutiny.
Following the hack, the SEC expedited its approval process for bitcoin ETFs, likely due to the massive market reaction caused by the false news. Notably, X (formerly known as Twitter) asserted that the compromise was not a result of any breach in its systems but rather the consequence of an unidentified individual gaining control over the phone number through a third party.
SIM swap attacks, where hackers manipulate phone numbers to gain unauthorized access, have been a prevalent threat in the crypto space for several years. Cryptocurrency holders often become targets as attackers aim to steal their digital assets. In a similar incident last year, attackers targeted Friend.Tech users and successfully made off with their ether holdings.
As the investigation continues and the SEC faces criticism for its security practices, the incident serves as a stark reminder of the importance of maintaining robust cybersecurity measures to safeguard sensitive financial accounts.