Jonathan Stoker
Jan 22, 2024, 23:20pm
160 views
SEC's Security Lapse on X: A Six-Month Open Door for Hackers
- SEC Acknowledges SIM Swap Attack on Agency's Cell Phone
- Account Compromised Through Telecom Carrier
- Disabling of Multi-factor Authentication
- Investigation into the Breach
- Statement from X Regarding the Incident
- Ongoing Investigations
- Prevalence of SIM Swap Attacks
SEC Acknowledges SIM Swap Attack on Agency's Cell Phone
The United States Securities and Exchange Commission (SEC) has confirmed that a hacker managed to gain control over an agency-associated cell phone, compromising its X account. The perpetrator exploited this access to disseminate false information about the approval of spot bitcoin exchange-traded funds (ETFs).
Account Compromised Through Telecom Carrier
The SEC revealed that the hacker executed a SIM swap attack which enabled them to take control of the phone linked to the X account. Leveraging this access, the hacker falsely tweeted that the SEC had given the green light for spot bitcoin ETFs on January 9, a full day before the actual approval. The SEC clarified that the breach occurred via the telecom carrier, not through the SEC's systems. The identity of the telecom carrier remains unknown.
Disabling of Multi-factor Authentication
In an unfortunate turn of events, the SEC had deactivated multi-factor authentication for the account back in July 2023 due to access issues. This security measure has since been reinstated. The hacker's misleading post on X led many to incorrectly believe that the SEC had already approved the ETFs, causing an unexpected market reaction. The false news was promptly debunked as a hack.
Investigation into the Breach
After gaining control of the phone number, the hacker was able to reset the password for the @SECGov account. Law enforcement agencies are probing how the hacker persuaded the carrier to change the SIM for the account and how they knew the phone number linked to the account. Following the breach, the SEC promptly moved to approve bitcoin ETFs.
Statement from X Regarding the Incident
X, previously known as Twitter, issued a statement on the incident two weeks ago. The platform corroborated the SEC's narrative, stating that the breach occurred due to a third party gaining control over the phone number associated with the @SECGov account, rather than a breakdown in X's systems.
Ongoing Investigations
Several oversight and law enforcement agencies including the Federal Bureau of Investigation, Department of Homeland Security, Commodity Futures Trading Commission, and the Department of Justice are collaborating with the SEC in the ongoing inquiry.
Prevalence of SIM Swap Attacks
SIM swap attacks have become a significant concern in the crypto space, with hackers primarily using them to gain access to victims' phone numbers and steal their crypto holdings. For instance, Friend.Tech users were targeted in a similar attack last year, resulting in the theft of users' ether holdings.
How do you like the article?
Join the discussion on
You may also like