The US Securities and Exchange Commission (SEC) has revealed more details surrounding the recent hack of its social media accounts, including some slightly embarassing details around how the attack was possible.
The SEC X account was hacked on January 10, with the single malicious act being a tweet announcing that it had allowed the use of Bitcoin Exchange Traded Funds (ETF). However, the announcement was deleted 20 minutes later and the SEC announced that its X account had been compromised.
Now the SEC has announced that not only did the account not have multi-factor authentication (MFA) turned on, but the account was breached in a SIM-swapping attack.
SEC disabled its own MFA
In a statement, the SEC revealed hackers were able to access the account through a SIM-swapping attack, where a hacker gains control of a phone number by tricking the providers into transferring control of the phone number to the hackers device. This gave them access to any and all incoming texts and calls to the target device.
This allowed the hacker to reset the password to the SEC X account and publish its post, which caused the price of Bitcoin to spike to $48,000 before dropping by 6% after it was confirmed as false. The SEC then announced later the same day that while the original announcement was indeed false, they had actually approved Bitcoin ETFs.
In a statement, the SEC said, “Two days after the incident, in consultation with the SEC's telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack.”
The SEC had contacted X to disable the multi-factor authentication as it was causing issues while attempting to log in. If the security measure had been enabled on the account then the hackers would not have gained access to the SECGov account.
Speaking to TechRadar Pro, Dr Ilia Kolochenko, CEO and Chief Architect at ImmuniWeb and Adjunct Professor of Cybersecurity and Cyber Law at Capital Technology University, commented: "It is another timely reminder that 2FA via SMS is susceptible to interception and shall be replaced by more robust 2FA mechanisms, for instance, OTP via mobile app.
"While the SEC’s X account hack is a minor security incident, all governmental agencies shall review the security of their social network accounts. A breach of the SEC account can possibly cause market volatility for a short period of time, however, a message on X by the US Department of Defense announcing war or a nuclear strike can trigger unpredictable and devastating consequences globally."
More from TechRadar Pro
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.
He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.
Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.