The U.S. Securities and Exchange Commission said on Monday that a SIM swap attack was to blame for the breach of its official account on X (formerly Twitter) earlier this month.
On Jan. 9, an unauthorized party gained access to the @SECGov account and displayed a fake post claiming the agency had approved the first-ever spot bitcoin exchange-traded funds. The cryptocurrency market moved following the unauthorized post, with bitcoin prices initially shooting up to nearly $48,000. Then, after the SEC clarified that it had not yet approved the bitcoin ETF, prices fell below $46,000.
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack,” an SEC spokesperson said in a statement.
A SIM swap is when a phone number is transferred to another device without the permission of the owner, allowing the bad actor to receive SMS messages and voice calls intended for the victim.
With access to the phone number, the unidentified individual then reset the account password. Because the SEC did not have two-factor authentication enabled, the SIM swap and subsequent password change were the only two steps necessary to gain full access to the agency’s account.
“While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said in the statement.
“Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” the statement continued. “MFA currently is enabled for all SEC social media accounts that offer it.”
The agency had the ability to switch two-factor authentication back on for their X account and were not reliant on X to do so.
X owner and CTO Elon Musk mocked the SEC, an agency he has clashed with for years, after the agency’s account on X was breached. Musk also retweeted a post from Twitter Safety following the incident, which said the compromise “was not due to any breach of X’s systems.”
X did not immediately respond to CNBC’s questions about whether the platform has continued to cooperate with investigators, or whether the company plans to change its design or any features associated with government agency accounts in response to the SEC account breach.
The SEC said there was no evidence the unauthorized party gained access to SEC systems, data, devices or other social media accounts. Instead, the agency said that “access to the phone number occurred via the telecom carrier” and that law enforcement is still investigating both how this individual “got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.”
The SEC said it is continuing to work with multiple law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice and the SEC’s own Division of Enforcement.
—CNBC’s Lora Kolodny contributed to this report.