SEC reveals how its Twitter account was hacked - and it's rather embarrassing

News
By Benedict Collins
published

Basic security measures were not implemented by the SEC

Code on screen
(Image credit: Shutterstock)

The US Securities and Exchange Commission (SEC) has revealed more details surrounding the recent hack of its social media accounts, including some slightly embarassing details around how the attack was possible.

The SEC X account was hacked on January 10, with the single malicious act being a tweet announcing that it had allowed the use of Bitcoin Exchange Traded Funds (ETF). However, the announcement was deleted 20 minutes later and the SEC announced that its X account had been compromised.

Now the SEC has announced that not only did the account not have multi-factor authentication (MFA) turned on, but the account was breached in a SIM-swapping attack.

SEC disabled its own MFA

In a statement, the SEC revealed hackers were able to access the account through a SIM-swapping attack, where a hacker gains control of a phone number by tricking the providers into transferring control of the phone number to the hackers device. This gave them access to any and all incoming texts and calls to the target device.

This allowed the hacker to reset the password to the SEC X account and publish its post, which caused the price of Bitcoin to spike to $48,000 before dropping by 6% after it was confirmed as false. The SEC then announced later the same day that while the original announcement was indeed false, they had actually approved Bitcoin ETFs.

In a statement, the SEC said, “Two days after the incident, in consultation with the SEC's telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack.”

The SEC had contacted X to disable the multi-factor authentication as it was causing issues while attempting to log in. If the security measure had been enabled on the account then the hackers would not have gained access to the SECGov account.

Speaking to TechRadar Pro, Dr Ilia Kolochenko, CEO and Chief Architect at ImmuniWeb and Adjunct Professor of Cybersecurity and Cyber Law at Capital Technology University, commented: "It is another timely reminder that 2FA via SMS is susceptible to interception and shall be replaced by more robust 2FA mechanisms, for instance, OTP via mobile app.

"While the SEC’s X account hack is a minor security incident, all governmental agencies shall review the security of their social network accounts. A breach of the SEC account can possibly cause market volatility for a short period of time, however, a message on X by the US Department of Defense announcing war or a nuclear strike can trigger unpredictable and devastating consequences globally."

Via BleepingComputer

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but also likes to draw on his knowledge of geopolitics and international relations to understand the motivations and consequences of state-sponsored cyber attacks. Benedict has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham.