The hacking of the Securities and Exchange Commission's (SEC) X (the platform formerly known as Twitter) account earlier this month was the result of a “SIM swap” attack, an agency spokesperson announced Tuesday.
An “unauthorized party” used SIM swapping to gain control of the phone number associated with the SEC's X account and reset the password, the spokesperson said.
SIM swapping allows scammers to transfer a phone number to a fraudulent device so that they can receive voice and SMS communications associated with that number.
An SEC spokesperson said access to the phone numbers was done through the SEC's carrier, and evidence that unauthorized parties “accessed SEC systems, data, devices and other social media accounts.” He pointed out that there was no.
“In particular, law enforcement is currently investigating how unauthorized parties got carriers to change the SIM on an account and how the parties learned which phone numbers were associated with the account. We are currently investigating whether this is the case,” the spokesperson added.
Multi-factor authentication for SEC accounts was also disabled at the request of SEC staff last July “due to issues accessing the account,” and remained disabled until the January 9 hack, the spokesperson said. the person in charge said.
“MFA is now enabled on all SEC social media accounts that offer MFA,” they added.
The SEC revealed that its X account was hacked earlier this month after it appeared to approve several highly anticipated Bitcoin investment funds.
Although the agency quickly removed the fake announcement and replaced it with a disavowal, the violation drew criticism from lawmakers on both sides of the aisle, especially after X revealed that two-factor authentication was enabled on his account with the SEC. and prompted calls for an investigation.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
