SEC reveals how its Twitter account was hacked - and it’s rather embarrassing

Basic security measures were not implemented by the SEC

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The US Securities and Exchange Commission (SEC) has revealed more details surrounding therecent hack of its social media accounts, including some slightly embarassing details around how the attack was possible.

The SEC X account was hacked on January 10, with the single malicious act being a tweet announcing that it had allowed the use of Bitcoin Exchange Traded Funds (ETF). However, the announcement was deleted 20 minutes later and the SEC announced that its X account had been compromised.

Now the SEC has announced that not only did the account not havemulti-factor authentication (MFA)turned on, but the account was breached in a SIM-swapping attack.

SEC disabled its own MFA

In astatement, the SEC revealed hackers were able to access the account through a SIM-swapping attack, where a hacker gains control of a phone number by tricking the providers into transferring control of the phone number to the hackers device. This gave them access to any and all incoming texts and calls to the target device.

This allowed the hacker to reset the password to the SEC X account and publish its post, which caused the price of Bitcoin to spike to $48,000 before dropping by 6% after it was confirmed as false. The SEC then announced later the same day that while the original announcement was indeed false, they had actually approved Bitcoin ETFs.

In a statement, the SEC said, “Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”

The SEC had contacted X to disable the multi-factor authentication as it was causing issues while attempting to log in. If the security measure had been enabled on the account then the hackers would not have gained access to the SECGov account.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Speaking to TechRadar Pro, Dr Ilia Kolochenko, CEO and Chief Architect at ImmuniWeb and Adjunct Professor of Cybersecurity and Cyber Law at Capital Technology University, commented: “It is another timely reminder that 2FA via SMS is susceptible to interception and shall be replaced by more robust 2FA mechanisms, for instance, OTP via mobile app.

“While the SEC’s X account hack is a minor security incident, all governmental agencies shall review the security of their social network accounts. A breach of the SEC account can possibly cause market volatility for a short period of time, however, a message on X by the US Department of Defense announcing war or a nuclear strike can trigger unpredictable and devastating consequences globally.”

ViaBleepingComputer

More from TechRadar Pro

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

7 myths about email security everyone should stop believing

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind