New details emerge about SEC's X account hack, including SIM swap

Watch Daily: Monday - Friday, 3 PM ET

The U.S. Securities and Exchange Commission said on Monday that a SIM swap attack was to blame for the breach of its official account on X (formerly Twitter) earlier this month.

On Jan. 9, an unauthorized party gained access to the @SECGov account and displayed a fake post claiming the agency had approved the first-ever spot bitcoin exchange-traded funds. The cryptocurrency market moved following the unauthorized post, with bitcoin prices initially shooting up to nearly $48,000. Then, after the SEC clarified that it had not yet approved the bitcoin ETF, prices fell below $46,000.

"Two days after the incident, in consultation with the SEC's telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," an SEC spokesperson said in a statement.

A SIM swap is when a phone number is transferred to another device without the permission of the owner, allowing the bad actor to receive SMS messages and voice calls intended for the victim.

With access to the phone number, the unidentified individual then reset the account password. Because the SEC did not have two-factor authentication enabled, the SIM swap and subsequent password change were the only two steps necessary to gain full access to the agency's account.

"While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff's request, in July 2023 due to issues accessing the account," the SEC said in the statement.

"Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9," the statement continued.