The U.S. Securities and Exchange Commission (SEC) has officially confirmed a cyberattack on its X account, revealing that the breach was a result of a SIM-swapping attack on the cell phone number associated with the account.
The incident of the SEC X account hacked, which occurred on January 9, 2024, initially involved the dissemination of a false announcement suggesting the SEC’s approval of spot bitcoin Exchange-Traded Funds (ETFs), causing widespread misinformation.
SIM-Swap Attack Behind SEC X Account Hack
More than 10 days after the breach, the SEC has released an official statement detailing the nature of the attack. The unauthorized party gained control of the SEC cell phone number associated with the SEC X account through a SIM swap attack, a technique used to transfer a person’s phone number to another device without authorization.
The SEC clarified that the access to the phone number occurred via the telecom carrier, not through SEC systems. There is no evidence to suggest that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts, according to SEC staff.
“SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts,” reads the SEC official Statement.
The SEC is actively coordinating with law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice, and the SEC’s own Division of Enforcement.
Upon gaining control of the phone number, the unauthorized party reset the password for the @SECGov account. Law enforcement is currently investigating how the party convinced the carrier to change the SIM for the account and how they knew the phone number associated with the account.
Role of Multi-Factor Authentication (MFA)
Notably, multi-factor authentication (MFA) had been enabled on the @SECGov X account in the past but was disabled by X Support in July 2023 at the staff’s request due to account access issues. MFA remained disabled until it was reenabled after the account was compromised on January 9. MFA is currently enabled for all SEC social media accounts that offer it.
While the previously enabled MFA through SMS would not have been effective in preventing the breach, as attackers could have obtained the one-time passcodes, configuring MFA to utilize an authentication app could have served as a more enhanced defense.
In such a scenario, the use of an authentication app would have hindered threat actors from accessing the account even after they successfully changed the password.
This incident marks the latest in a series of cyberattacks on X accounts, with three major X accounts being hacked within a week, highlighting the persistent threat landscape.
The SEC continues to address these challenges, reinforcing the need for enhanced cybersecurity measures and urging the broader adoption of MFA for a more resilient defense against cyber threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.