The U.S. Securities and Exchange Commission said on Monday that its official account on X (formerly Twitter) was compromised earlier this month and that a SIM swapping attack was the culprit, CNBC reported.
On January 9, an unauthorized party gained access to the @SECGov account and displayed a false post claiming that the agency had approved the first-ever spot Bitcoin exchange-traded fund. Cryptocurrency markets changed after the unauthorized post, with Bitcoin prices initially surging to nearly $48,000. Subsequently, Bitcoin price fell below $46,000 after the SEC clarified that it had not approved a Bitcoin ETF.
"Two days after the incident, and in consultation with the SEC's telecommunications carriers, the SEC determined that during an apparent 'SIM swap' attack, an unauthorized party gained control of the SEC mobile phone number associated with the account," an SEC spokesperson said in a statement.
SIM swapping is when a phone number is transferred to another device without the owner's permission, allowing bad actors to receive text messages and voice calls meant for the victim.
After the unknown person obtained the phone number, he reset the account password. Since the SEC has not enabled two-factor authentication, the SIM card swap and subsequent password change are the only two necessary steps to fully access the agency's account.
"While the @SECGovX account previously had multi-factor authentication (MFA) enabled, X Support disabled the feature at the request of staff in July 2023 due to issues accessing the account," the SEC said in a statement. "Once access was re-established, MFA remained disabled until staff re-enabled it on January 9 after the account was compromised."
Currently, all SEC social media accounts that offer MFA functionality have it enabled. The institution has the ability to turn back on two-factor authentication for its X account and does not rely on X to do so.
Elon Musk, X's owner and chief technology officer, took a jibe at the U.S. Securities and Exchange Commission (SEC) after its account on X was compromised. Musk also retweeted a post from Twitter's security department after the incident, saying that the leak "was not due to System X being compromised."
X did not immediately respond to questions from CNBC about whether the platform continues to cooperate with investigators or whether the company plans to change the design or any functionality related to government agency accounts in response to the SEC account breach.
The SEC said there is no evidence that an unauthorized party accessed the SEC's systems, data, equipment or other social media accounts. Instead, the agency said, "the phone number was accessed through a telecommunications carrier," and law enforcement is still investigating how the person "got the carrier to change the account's SIM card and how the person knew which phone number was associated with the account."
The SEC said it is continuing to cooperate with multiple law enforcement and federal oversight entities, including the SEC Office of Inspector General, the FBI, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice and the SEC's own enforcement division.