SEC reveals how its Twitter account was hacked - and it's rather embarrassing

Code on screen
(Image credit: Shutterstock)

The US Securities and Exchange Commission (SEC) has revealed more details surrounding the recent hack of its social media accounts, including some slightly embarassing details around how the attack was possible.

The SEC X account was hacked on January 10, with the single malicious act being a tweet announcing that it had allowed the use of Bitcoin Exchange Traded Funds (ETF). However, the announcement was deleted 20 minutes later and the SEC announced that its X account had been compromised.

Now the SEC has announced that not only did the account not have multi-factor authentication (MFA) turned on, but the account was breached in a SIM-swapping attack.

SEC disabled its own MFA

In a statement, the SEC revealed hackers were able to access the account through a SIM-swapping attack, where a hacker gains control of a phone number by tricking the providers into transferring control of the phone number to the hackers device. This gave them access to any and all incoming texts and calls to the target device.

This allowed the hacker to reset the password to the SEC X account and publish its post, which caused the price of Bitcoin to spike to $48,000 before dropping by 6% after it was confirmed as false. The SEC then announced later the same day that while the original announcement was indeed false, they had actually approved Bitcoin ETFs.

In a statement, the SEC said, “Two days after the incident, in consultation with the SEC's telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack.”

The SEC had contacted X to disable the multi-factor authentication as it was causing issues while attempting to log in. If the security measure had been enabled on the account then the hackers would not have gained access to the SECGov account.

Speaking to TechRadar Pro, Dr Ilia Kolochenko, CEO and Chief Architect at ImmuniWeb and Adjunct Professor of Cybersecurity and Cyber Law at Capital Technology University, commented: "It is another timely reminder that 2FA via SMS is susceptible to interception and shall be replaced by more robust 2FA mechanisms, for instance, OTP via mobile app.

"While the SEC’s X account hack is a minor security incident, all governmental agencies shall review the security of their social network accounts. A breach of the SEC account can possibly cause market volatility for a short period of time, however, a message on X by the US Department of Defense announcing war or a nuclear strike can trigger unpredictable and devastating consequences globally."

Via BleepingComputer

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.