The US Securities and Exchange Commission (SEC) says it fell victim to so-called SIM swapping in the hacker attack on its user account on the short message service X. “Once the unauthorized person gains control of the phone number, they reset the password for the @SECGov account,” an SEC spokesman said Monday.
Wall Street’s top supervisory authority deactivated an additional layer of protection, known as multi-factor authentication (MFA), six months before the attack due to technical problems and only reactivated it after the attack on January 9th. With SIM swapping, the hacker gains control of the account by assigning the phone number associated with the user account to an attacker’s device. Law enforcement was working to determine how the hackers tricked the SEC’s wireless carrier into making the switch, the SEC said, without naming the provider.
In the recent hacker attack, a false report was published on X that the SEC had approved Bitcoin exchange-traded funds (ETFs). This sent the cryptocurrency industry into turmoil and briefly drove up the price of the cyber currency.
The Bitcoin ETF hoax came just a day before the SEC actually gave the green light to the first ETFs listed in the US. Lawmakers demanded an explanation of how the SEC could fall victim to such an attack, especially since it imposes strict cybersecurity requirements on publicly traded companies. The SEC said it is working with law enforcement and government agencies to investigate the incident. A representative for X did not immediately respond to a request for comment from Reuters.