The U.S. Securities and Exchange Commission (SEC) recently revealed that its official X account was hacked using a technique known as SIM swapping. The agency admitted its security lapses enabled the hackers to gain access and post fabricated information, causing temporary market turmoil.
Hackers Posted Fake Approval of Bitcoin Investments
Earlier this month, on January 9, hackers briefly broke into the SEC’s verified social media account on X (formerly Twitter). The hackers tweeted that the SEC had approved new investment products tied to the digital currency bitcoin.
This bogus information caused a surge in Bitcoin’s price, followed by a quick dump after the SEC raised the alarm on the fake post. The next day, the SEC approved Bitcoin investment products called futures ETFs after the leaders voted 3-2 in favor.
So, the hackers’ false posts briefly looked authentic and accurate to investors. Some traders likely profited from the fake news by buying Bitcoin before the actual approval happened. The SEC revealed that the hackers did a SIM swap to sneak into the account.
For clarity, a SIM swap is when scammers convince your cell phone company to transfer your phone number to a new device that the bad actors control.
Once they had the SEC’s phone number moved over, the hackers could use it to reset the agency’s social media password and get around security protections.
However, the SEC did not name which cell carrier enabled the hackers’ SIM swap scam. But the agency also admitted it had made security mistakes that helped the hackers succeed.
Six months before the breach, in June 2022, SEC employees had asked for multi-factor authentication (MFA) to be turned off.
MFA requires a special login code from your phone, making accounts more secure. With MFA disabled, the hackers likely found it simple to reset the password using the swapped phone number.
The SEC has now turned MFA back on for all of its social media accounts to prevent future attacks.
Investigations Look into Breakdown of Security Measures
Numerous government agencies are now probing how the hackers were able to access the SEC’s account and post false data. The SEC’s own internal watchdog and investigation unit have started inquiries.
Other groups looking into the troubling security lapses include the FBI, the Justice Department, and a specialized cybersecurity agency.
Lawmakers have also demanded the SEC explain why it let its guard down online. The sophisticated attack has raised worries that phone number scams could be used to steal even more vital financial information from the SEC or significant companies.
The apparent vulnerability shown by the hackers gaining easy entry via the SIM swap suggests stronger protections may be needed. The SEC and other organizations handling sensitive data should keep strong multi-layered security measures active.
Phone companies may also need better identity checks before number swaps to avoid assisting fraudsters.
In its statement, the SEC pledged to study how the attack succeeded and fix any gaps. The agency says turning the MFA back on will bolster defenses to prevent such embarrassing breaches.
While this hack only impacted a public social media presence, it demonstrates holes that could allow access to far more private data.