Investing.com - Financial Markets Worldwide
🐂 Not all bull runs are created equal. November’s AI picks include 5 stocks up +20% eachUnlock Stocks

SEC X Account Breach: SIM Swap Attack Bypassed Disabled MFA

Published 23/01/2024, 08:37
SEC X Account Breach: SIM Swap Attack Bypassed Disabled MFA

Coin Edition -

  • SEC’s X account was compromised through a “SIM swap” attack, hijacking the linked phone number.

  • Multi-factor authentication (MFA) was disabled at the SEC’s request in July 2023.

  • Investigation ongoing, focusing on attack method and attacker’s knowledge of phone number.

In a recent update on the security breach of the SEC’s official X account (@SECGov), the regulator disclosed that unauthorized access occurred due to a SIM swap attack and a disabled multi-factor authentication (MFA) feature.

During the ongoing investigation, the SEC revealed that the unauthorized party gained control of the SEC phone number linked to the account through a “SIM swap” attack. By exploiting this method, the unauthorized party bypassed password reset protections and took control of the @SECGov X account.

For those unfamiliar, SIM swapping is a technique where an attacker tricks a telecom carrier into transferring a phone number to a new device. This allows the attacker to receive calls and texts meant for the original owner.

The SEC however clarified that the “access to the phone number occurred via the telecom carrier, not via SEC systems.” The SEC assured the public that despite the unauthorized access, its systems, data, devices, and other social media accounts remain secure.

The SEC underscored that law enforcement is now actively investigating both how the attacker convinced the telecom carrier to perform the SIM swap and how they identified the specific phone number associated with the @SECGov X account.

Furthermore, the statement revealed that MFA, an additional security layer, was disabled on the account in July 2023 at the request of SEC staff due to access issues. This critical security measure was only re-enabled after the hack, leaving the account vulnerable until then.

The unauthorized party, exploiting the compromised X account, made false announcements on January 9 regarding the Commission’s approval of spot bitcoin exchange-traded funds.

Acknowledging the incident’s impact on investor confidence and market stability, Chair Gary Gensler stated, “The SEC takes its cybersecurity obligations seriously.” The agency confirmed ongoing coordination with various law enforcement and federal oversight entities including the SEC’s OIG, FBI, CISA, CFTC, DOJ, and the SEC’s own Division of Enforcement, to investigate the attack and its implications.

The post SEC X Account Breach: SIM Swap Attack Bypassed Disabled MFA appeared first on Coin Edition.

Read more on Coin Edition

Latest comments

Install Our App
Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers
© 2007-2024 - Fusion Media Limited. All Rights Reserved.