The SEC linked the SIM swap attack to the hack of its X account earlier this month, which created a fake post announcing the approval of Bitcoin ETFs and caused the price of the cryptocurrency to soar. In an update Monday, the SEC says “an unauthorized party took control of the SEC cell phone number associated with the account in an apparent SIM swap attack.”
A SIM swap attack occurs when a bad actor obtains a victim’s phone number through techniques such as social engineering. This allows the attacker to intercept calls and text messages directed to the victim, including two-factor authentication codes, which they can then use to log into the victim’s accounts.
In the SEC case, a bad actor reset the password for his X account after taking control of the phone number associated with it. While the SEC says multi-factor authentication was previously enabled on the agency’s X account, it was “disabled by X Support, at the request of employees, in July 2023 due to account access issues.” The SEC only re-enabled MFA after realizing her account had been hacked on January 9, and says she has MFA active on all her other social media accounts that have that option.
The SEC says law enforcement is still investigating how the attacker discovered the phone number he was using for his X account, and how they were able to convince the cell phone company to switch SIM cards.