SEC X account compromised in SIM swap attack


The United States Securities and Exchange Commission (SEC) has officially confirmed a cyberattack on its X account, revealing that the breach was the result of a SIM swap attack on the mobile phone number associated with the account.

The incident of SEC X account hackedwhich occurred on January 9, 2024, initially involved the distribution of a false announcement suggesting SEC approval of spot Bitcoin exchange-traded funds (ETFs), causing widespread misinformation.

SIM-Swap Attack Behind SEC X Account Hack

More than 10 days after the breach, the SEC issued a official statement detailing the nature of the attack. The unauthorized party gained control of the SEC cell phone number associated with the SEC X account through a SIM swap attack, a technique used to transfer a person’s phone number to another device without authorization.

The SEC clarified that access to the telephone number was through the telecommunications carrier and not through SEC systems. According to the SEC staff, there is no evidence to suggest that the unauthorized party had access to the SEC’s systems, data, devices or other social media accounts.

“The SEC staff has not identified any evidence that the unauthorized party gained access to the SEC’s systems, data, devices or other social media accounts,” reads the official SEC statement.

The SEC actively coordinates with federal law enforcement and oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice, and the SEC’s own Division of Enforcement.

After taking control of the phone number, the unauthorized party reset the @SECGov account password. Law enforcement is currently investigating how the party convinced the carrier to change the account’s SIM card and how they knew the phone number associated with the account.

Role of Multi-Factor Authentication (MFA)

Notably, multi-factor authentication (MFA) had been enabled on the @SECGov X account in the past, but was disabled by X Support in July 2023 at the request of staff due to account access issues. M.F.A. remained disabled until reactivated after the account was compromised on January 9. MFA is currently enabled for all SEC social media accounts that offer it.

While the Previously enabled MFA via SMS would not have been effective in preventing the breach because the attackers could have obtained the one-time passcodes, configuring MFA to use an authenticator application could have provided a stronger defense.

In such a scenario, the using an authenticator app would have prevented malicious actors from accessing the account even after successfully changing the password.

This incident marks the latest in a series of cyberattacks on X accountswith three big X accounts hacked in a week, highlighting the persistent threat landscape.

The SEC continues to address these challenges, reinforcing the need for enhanced cybersecurity measures and calling for broader adoption of MFA for a more resilient defense against cyber threats.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. THE Cyber Express assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment