PYMNTS New Reality Check February 2024 Banner

SEC Says ‘SIM Swap’ Attack Enabled Takeover of X Account 

The Jan. 9 hack of the Securities and Exchange Commission’s (SEC) account on the social media platform X (formerly known as Twitter) was apparently the result of a “SIM swap” attack. 

The regulator announced this finding in a Monday (Jan. 22) statement to the media, which was posted to a web page devoted to providing updates on the incident. 

In a SIM swap attack, a person’s phone number is transferred to another device without authorization, allowing the attacker to receive voice and SMS communications directed at that number, according to the statement. 

“Access to the phone number occurred via the telecom carrier, not via SEC systems,” the SEC said in the statement. “SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices or other social media accounts.” 

SEC staff are working with several law enforcement agencies and federal oversight entities to investigate the incident, including how attacker knew which phone number was associated with the account and how they got the carrier to change the SIM for the account, according to the release. 

Multi-factor authentication (MFA) was not enabled at the time of the attack, the release said. MFA is now enabled for all SEC social media accounts that offer it. 

When the hackers took over the SEC’s X account on Jan. 9, they falsely said that the agency had given its long-awaited blessing to a bitcoin exchange-traded fund (ETF). 

The regulator and SEC Chairman Gary Gensler both took to X the evening of the attack to disavow the announcement, saying the post was unauthorized and the SEC had not approved the listing and trading of spot bitcoin exchange-traded products. 

On the following day, Jan. 10, the SEC announced that it had approved bitcoin ETFs. 

On that same day, it was reported that the FBI was looking into the hacker’s brief takeover of the SEC’s X account. 

On Jan. 12, two U.S. Senators called on the SEC to investigate the breach and up its cybersecurity game. 

“The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure,” Sens. Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo., wrote in a letter to SEC Inspector General Deborah J. Jeffrey