Share this article on:
The US Securities and Exchange Commission (SEC) has said that threat actors using SIM-swapping techniques were to blame for its X (formerly Twitter) account being hijacked earlier this month.
The SEC had its X account taken over on 9 January 2024 by an unauthorised user, who proceeded to announce that the SEC would be granting approval to bitcoin exchange-traded funds (ETFs) for listing on registered national security exchanges.
“The approved bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection,” the post said.
The SEC quickly announced that the post was not conducted by them but by an unauthorised user. Despite this, the SEC officially announced the approval of bitcoin ETFs the next day.
Now, the SEC has provided an update as to how the user gained access to its X account, saying that the threat actor used SIM-swapping techniques.
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorised party obtained control of the SEC cellphone number associated with the account in an apparent ‘SIM swap’ attack,” said the SEC.
“SIM swapping is a technique used to transfer a person’s phone number to another device without authorisation, allowing the unauthorised party to begin receiving voice and SMS communications associated with the number.
“Access to the phone number occurred via the telecom carrier, not via SEC systems.
“SEC staff have not identified any evidence that the unauthorised party gained access to SEC systems, data, devices, or other social media accounts.”
SIM swapping is a technique used by hackers in which they gain control of users’ phone numbers on another device, allowing them to receive their calls and texts. This would allow them to receive verification checks and password reset requests and, in turn, gain control of the affected users’ accounts.
“Once in control of the phone number, the unauthorised party reset the password for the @SECGov account,” added the SEC.
“Among other things, law enforcement is currently investigating how the unauthorised party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.”
The SEC also addressed its lack of multifactor authentication (MFA), an issue that was brought up by X itself not long after the breach.
“We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” wrote X on its own platform.
“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised. We encourage all users to enable this extra layer of security."
Responding to this in its latest update, the SEC said it didn’t have MFA enabled due to previous issues accessing the account.
“While multifactor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” wrote the SEC.
“Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it.”