The United States Securities and Exchange Commission (SEC) has acknowledged that it was a victim of a “SIM swap” attack, which led to the dissemination of false information about the approval of spot Bitcoin exchange-traded funds (ETFs).
In an official statement, the SEC revealed that an unauthorized party gained control of the cell phone number associated with the X account, subsequently resetting the password for the @SECGov Twitter account. This incident occurred two days before the actual approval of several spot Bitcoin ETF applications.
SEC SIM Swap attack exposes vulnerability
The SEC confirmed that the breach was a result of a “SIM swap” attack, a technique where attackers take control of a target’s telephone number by having it reassigned to a different device.
This unauthorized party, through the SIM swap, managed to compromise the SEC’s Twitter account and post misleading information regarding the approval of Bitcoin ETFs.
In the aftermath of the incident, the SEC, in collaboration with its telecom carrier, initiated an investigation to determine how the attackers were able to persuade the carrier to change the SIM associated with the SEC’s X account.
Additionally, they are seeking to understand how the attackers identified the specific phone number linked to the SEC’s account.
Multifactor authentication was disabled before attack
One concerning revelation made by the SEC is that six months before the hack occurred, a staff member within the organization had disabled multifactor authentication (MFA) for the X account.
This decision was made due to difficulties in accessing the account, and MFA was not reinstated until after the January 9 attack.
The removal of MFA, which serves as an essential security layer, may have contributed to the vulnerability that allowed the unauthorized party to take control of the account through the SIM swap technique.
Law enforcement investigating the incident
In response to the breach, law enforcement agencies are actively investigating the circumstances surrounding the SIM swap attack. The primary focus of the investigation is to determine how the attackers successfully convinced the telecom carrier to change the SIM card associated with the SEC’s X account.
Additionally, authorities are examining how the attackers identified the specific phone number linked to the SEC’s account.
The SEC has stated that, as of now, there is no evidence to suggest that the unauthorized party gained access to other SEC systems, sensitive data, or additional social media accounts. This revelation provides some assurance that the breach was limited in scope, primarily affecting the SEC’s Twitter account.
Prompt approval of Spot Bitcoin ETFs
Ironically, just one day after the security incident the SEC officially approved several spot Bitcoin ETF applications. These ETFs began trading on January 11, bringing a sense of legitimacy and excitement to the cryptocurrency market.
The quick approval came as a relief to investors and enthusiasts eagerly awaiting the launch of these financial products.