ARTICLE AD
The unidentified individual gained access through a SIM swap, followed by a password reset, as the SEC lacked 2FA. These two steps granted complete control over the account.
The US Securities and Exchange Commission (SEC) announced on Monday that a SIM swap attack was the cause of the unauthorized access to its official account on X, formerly known as Twitter, earlier this month.
On January 9, an unauthorized party exploited the @SECGov account, posting a fake announcement claiming that the SEC had granted approval for the first-ever spot Bitcoin exchange-traded funds (ETFs). The false information triggered a response in the cryptocurrency market, leading to an initial surge in bitcoin prices to nearly $48,000 from the day’s low, slightly above $45,000.
Subsequently, after the SEC clarified that no approval had been granted for the Bitcoin ETF, prices dropped below $46,000. Speaking to CNBC, an SEC spokesperson said:
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”
A SIM swap occurs when a phone number moves to another device without the owner’s consent. Thus, it enabling the perpetrator to access SMS messages and voice calls intended for the victim. According to cybersecurity expert Chris Pierson, SIM swap attacks have evolved into a more significant security threat for government agencies and corporations, as reported by CNBC. He added:
“Originally, these attacks flourished as a means for criminals to hijack an individual’s cryptocurrency wallet or account, but they’re now being weaponized by other criminal actors and nation-states for a much wider range of uses.”
SEC Lacked Two-Factor Authentication
The recent breach of the US SEC’s official Twitter account faced a SIM swap attack facilitated by the absence of two-factor authentication (2FA), according to a statement released by the SEC on Monday.
The unidentified individual gained access to the account by executing a SIM swap and subsequently resetting the password. Notably, the SEC did not have 2FA enabled at the time, making the SIM swap and password change the sole requirements for complete account access.
The SEC disclosed that while multi-factor authentication (MFA) had been previously activated on the @SECGov X account, X Support disabled it in July 2023 at the staff’s request due to account access issues. MFA remained inactive until staff reenabled it after the compromise on January 9. The SEC clarified that MFA is currently active for all SEC social media accounts offering this security feature.
Crucially, the SEC had the capability to reactivate two-factor authentication for their X account independently and was not reliant on X to implement this security measure.
Elon Musk, owner and Chief Technology Officer of X, took the opportunity to mock the SEC, an agency he has had conflicts with for years, following the breach of its X account. Musk also shared a Twitter Safety post emphasizing that the compromise was not a result of any breach in X’s systems.