The U.S. Securities and Exchange Commission confirmed that the hijacking of its X (Twitter) account was the result of a SIM swapping hack.
Hackers briefly gained control of the account on Jan. 9, posting a fake (or at least premature) announcement that the commission had approved Bitcoin futures exchange-traded funds (ETFs).
After the post, Bitcoin surged to a 19-month high before dropping nearly 6% after SEC staff used Chair Gary Gensler’s X account to break the news that the ETF announcement was bogus. Later the same week, however, the SEC did approve 11 ETF funds.
Immediately after the account takeover, security experts suspected a SIM swapping scam, especially after the SEC revealed that the unauthorized party had gained access “by obtaining control over the phone number associated with the account."
But it wasn’t until a Jan. 22 update on the incident that the commission confirmed a SIM swap attack was the apparent cause.
The SEC’s latest update also revealed multi-factor authentication (MFA), which would likely have prevented the hack, had been disabled on the account for several months.
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack,” an SEC spokesperson said.
What is a SIM card attack?
SIM swapping, also called simjacking, is a type of cybercrime where a criminal tricks a wireless carrier into sending texts and calls to a rogue third-party phone or device. This allows a scammer to intercept password recovery and account verification codes.
Typically, SIM swapping attacks follow a compromised email account associated a wireless carrier. Criminals use the hijacked email account to request from a wireless carrier a SIM card transfer to new SIM card under the control of the hacker. Next, when a criminal logs into a victim's account protected by a multi-factor authentication (MFA) security measure, such as a bank or Twitter account, the "security code" is sent to the SIM card under the control of the criminal.
In the case of the Jan. 9 attack, access to the phone number occurred via the telecom carrier, not through SEC systems, the spokesperson said.
“SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.”
Once the hacker had control of the phone they reset the SEC’s X password, a change that was most likely possible because MFA was not enabled on the account.
While MFA had previously been activated “it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the spokesperson said.
“Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it.
Law enforcement and federal oversight entities, including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the SEC’s Office of Inspector General, are continuing to investigate the breach. “Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account,” the SEC spokesperson said.