SEC account hack result of ‘SIM swap’ attack, agency says

FILE - The seal of the U.S. Securities and Exchange Commission at SEC headquarters, June 19, 2015, in Washington. The Securities and Exchange Commission said Tuesday, Jan. 9, 2024, that a post on X, formerly known as Twitter, announcing that the securities regulator had approved the trading of exchange-traded funds holding bitcoin was fake, and that the agency’s account had been “compromised.” (AP Photo/Andrew Harnik, File)
AP Photo/Andrew Harnik, File
The seal of the U.S. Securities and Exchange Commission at SEC headquarters.

The hack of the Securities and Exchange Commission’s (SEC) account on X, the platform formerly known as Twitter, earlier this month was the result of a “SIM swap” attack, an agency spokesperson said Tuesday.

An “unauthorized party” used SIM swapping to obtain control of the phone number associated with the SEC’s X account and reset the password, the spokesperson said. 

SIM swapping allows scammers to receive voice and SMS communications associated with a phone number by transferring the number to an unauthorized device.

The SEC spokesperson said access to the phone number occurred via the agency’s telecom carrier, noting there is no evidence the unauthorized party “gained access to SEC systems, data, devices, or other social media accounts.”

“Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account,” the spokesperson added.

Multifactor authentication for the SEC’s account had also been disabled at the request of the agency’s staff last July “due to issues accessing the account” and remained disabled until the hack on Jan. 9, the spokesperson said.

“MFA currently is enabled for all SEC social media accounts that offer it,” they added.

The SEC revealed its X account had been hacked earlier this month, after it appeared to approve several highly anticipated bitcoin investment funds. 

While the agency quickly took down the fake announcement and replaced it with a disavowal, the breach prompted criticism and calls for investigation from lawmakers on both sides of the aisle, particularly after X revealed the SEC’s account did not have two-factor authentication enabled.

Updated at 5:30 p.m.

Tags SEC SEC hack Securities and Exchange Commission

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.