The SEC confirms that a SIM swapping attack led to the hacking of X account.
Today, the U.S. Securities and Exchange Commission confirmed that its X account was breached via a SIM-swapping attack targeting the mobile number linked to the account. [...]
The U.S. Securities and Exchange Commission confirmed today that its X account was hacked through a SIM-swapping attack on the cell phone number associated with the account.
Earlier this month, the SEC's X account was hacked to issue a fake announcement that the agency had finally approved Bitcoin ETFs on security exchanges.
Ironically, the SEC approved Bitcoin ETFs in a legitimate announcement the following day.
However, at the time, it was not clear how the account was breached, with the SEC stating that they would provide updates on their investigation as it became available.
Today, the SEC has confirmed that a cell phone account associated with the X account suffered a SIM-swapping attack.
"Two days after the incident, in consultation with the SEC's telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," explains an updated SEC press statement on the breach.
In SIM swapping attacks, threat actors trick a victim's wireless carrier into porting a customer's phone number to a device under the attacker's control. This allows all texts and phone calls sent to the device to be retrieved by the hackers, including password reset links and one-time passcodes for multi-factor authentication (MFA).
According to the SEC, the hackers did not have access to the agency's internal systems, data, devices, or other social media accounts, and the SIM swap occurred by tricking their mobile carrier into porting the number.
Once the threat actors controlled the number, they reset the password for the @SECGov account to create the fake announcement.
The SEC says they continue to work with law enforcement to investigate how the attackers conducted the SIM-swapping attack with their mobile carrier.
The SEC also confirmed that multi-factor authentication was not enabled on the account, as they had asked X support to disable it when they encountered problems logging into the account.
If MFA was enabled via SMS, the hackers would still have been able to breach the account as they would have received the one-time passcodes.
However, if the security setting had been configured to use an authentication app, it would have prevented the threat actors from logging into the account, even after the attackers had changed the password.
For this reason, it is always advised that MFA only be used with a hardware security key or an authentication app rather than through SMS.
X has been plagued this past year with hacked accounts and malicious advertisements promoting cryptocurrency scams and wallet drainers.
Unfortunately, there does not appear to be an end in sight, with users now fed up with what feels like a constant stream of malicious advertisements.