SEC account hack result of ‘SIM swap’ attack, agency says

The hack of the Securities and Exchange Commission’s (SEC) account on X, the platform formerly known as Twitter, earlier this month was the result of a “SIM swap” attack, an agency spokesperson said Tuesday.

An “unauthorized party” used SIM swapping to obtain control of the phone number associated with the SEC’s X account and reset the password, the spokesperson said. 

SIM swapping allows scammers to receive voice and SMS communications associated with a phone number by transferring the number to an unauthorized device.

The SEC spokesperson said access to the phone number occurred via the agency’s telecom carrier, noting there is no evidence the unauthorized party “gained access to SEC systems, data, devices, or other social media accounts.”

“Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account,” the spokesperson added.

Multifactor authentication for the SEC’s account had also been disabled at the request of the agency’s staff last July “due to issues accessing the account” and remained disabled until the hack on Jan. 9, the spokesperson said.

“MFA currently is enabled for all SEC social media accounts that offer it,” they added.

The SEC revealed its X account had been hacked earlier this month, after it appeared to approve several highly anticipated bitcoin investment funds. 

While the agency quickly took down the fake announcement and replaced it with a disavowal, the breach prompted criticism and calls for investigation from lawmakers on both sides of the aisle, particularly after X revealed the SEC’s account did not have two-factor authentication enabled.

Updated at 5:30 p.m.