The U.S. Securities and Exchange Commission (SEC) acknowledged that its X account suffered a security breach through a SIM-swapping attack on the associated cell phone number. This incident occurred earlier this month when hackers, leveraging the SIM-swap technique, gained control of the SEC cell phone number linked to the X account. The attackers, after successfully executing the SIM swap, used this access to reset the password for the @SECGov account, enabling them to disseminate a fake announcement about the approval of Bitcoin ETFs.
The SEC clarified that despite this breach, the hackers did not infiltrate the agency’s internal systems, data, devices, or other social media accounts. The focus of the attack was on manipulating the SEC’s communication channels. The agency is actively collaborating with law enforcement to investigate the intricacies of the SIM-swapping attack, emphasizing that multi-factor authentication (MFA) was not enabled on the compromised account. The absence of MFA left the account vulnerable, prompting a reminder that MFA should be implemented through more secure means, such as hardware security keys or authentication apps, rather than relying on SMS.