SEC Shut Off Extra Security on X For About 6 Months, Letting Hacker Breeze In
The U.S. regulator confirmed it didn't take its own security advice through much of 2023, leaving it open for a costly social-media hack that's still under investigation.
Jan 22, 2024 at 9:00 p.m. UTC:format(webp)/cloudfront-us-east-1.images.arcpublishing.com/coindesk/Q732EEHEMZEW3JFZZ3YUBMVQB4.jpg)
/arc-photo-coindesk/arc2-prod/public/LXF2COBSKBCNHNRE3WTK2BZ7GE.png)
- The U.S. Securities and Exchange Commission acknowledged a hacker managed to take over one of the agency's cell phones to crack its X account and post about the spot bitcoin ETF.
- The regulator had deactivated its multi-factor authentication as far back as July 2023.
The U.S. Securities and Exchange Commission (SEC) confirmed that a hacker took over its X account through a "SIM swap" attack that seized control of a cell phone associated with the account. That allowed the outsider to falsely tweet on January 9 that the agency had approved spot bitcoin exchange-traded funds (ETFs), a day before the agency actually did so.
"Access to the phone number occurred via the telecom carrier, not via SEC systems," a spokesperson for the agency said in a statement on Monday. "SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts." The SEC did not identify who the telecom carrier was.
The agency had also deactivated its multi-factor authentication on the account in July 2023 "due to issues accessing the account," the spokesperson said. That protection has since been turned back on.
The embarrassing security lapse – from an agency well known for advising investors to ensure proper security and maintaining multi-factor authentication on their financial accounts – allowed a posting on X under the @SECGov account that led many to believe the agency had signed off on its eagerly-awaited approval for the ETFs. The false news moved the markets before it was quickly determined to be a hack.
"Once in control of the phone number, the unauthorized party reset the password for the @SECGov account," the spokesperson said. "Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account."
Shortly after the hack, the SEC moved in earnest to approve bitcoin ETFs.
X – formerly known as Twitter – shared a similar take on the SEC hack in a statement two weeks ago, saying "the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party."
The SEC is still investigating alongside law enforcement and oversight agencies, including the Federal Bureau of Investigation, Department of Homeland Security, Commodity Futures Trading Commission and the Department of Justice.
SIM swap attacks have been common in crypto for years, with attackers gaining access to victims' phone numbers, usually for the purpose of stealing their holdings. Friend.Tech users were targeted last year, for example, with attackers making away with users' ether holdings.
:format(webp)/www.coindesk.com/resizer/x37dWM_1ORxU2nCUG8EyVsmvF4Y=/arc-photo-coindesk/arc2-prod/public/3CZRUU6QWVDQ5PSXCNWHUB6CY4.png)
Jesse Hamilton is CoinDesk's deputy managing editor for global policy and regulation. He doesn't hold any crypto.