The X Safety team has revealed that the United States Securities and Exchange Commission did not have two-factor authentication (2FA) enabled on its main X account, allowing a hacker to gain access to its account.
The embarassing revelation for the SEC follows a security breach that rocked crypto markets today with a false confirmation of a spot Bitcoin ETF from the SEC’s official account on the social media platform.
In a Jan. 10 post, X’s Safety page wrote that the SEC hack occurred as a result of an unidentified actor gaining control of the phone number associated with the account, and using that to gain access to SEC’s official X page. This is more commonly known as a SIM swap hack.
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…
— Safety (@Safety) January 10, 2024
“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” wrote X Safety.
“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”
A SIM swap hack is a form of identity theft where an attacker takes over a victim’s phone number, allowing them to gain access to social media, bank and crypto accounts.
In this case, the hacker is likely to have convinced a third-party telecommunications provider to hand over control of the phone number tied to the SEC's account. If the hacker also knew the correct email adress used to sign into the account, they could use the phone number to reset the password on the SEC's official account and gain access.
Blockchain sleuth ZachXBT took the opportunity to repackage SEC Chair Gary Gensler’s own previous advice on social media security in a humorous comment made in response to the original X Safety post.
Hi @GaryGensler this is a reminder to secure your financial accounts as well as protect against identity theft and fraud.
— ZachXBT (@zachxbt) January 10, 2024
Remember to:
Use strong passphrases or passwords
Set up multifactor authentication
Keep account alerts turned on#CybersecurityAwarenessMonth pic.twitter.com/KBNOV3KhAJ
United States Senators J.D. Vance and Thom Tillis penned a letter to Gensler today, lashing the agency for its lack of operational security and asking for an explanation for the incident within the next four days.
"These developments raise serious concerns regarding the Commission's internal cybersecurity procedures and are antithetical to the Commission's tripart mission to protect investors," wrote the letter.
BREAKING: Senators @JDVance1 & @SenThomTillis Demand Explanation For The SEC's Errant Announcement Of The Approval Of Spot-Bitcoin ETFs
— Senator Vance Press Office (@SenVancePress) January 10, 2024
"It is unacceptable that the agency entrusted with regulating the epicenter of the world’s capital markets would make such a colossal error." pic.twitter.com/xG77jM9xAM
Vance and Thillis' letter joined a growing roster of calls for transparency on the matter, with several members of Congress also demanding an official investigation into the incident. U.S. Senator Bill Hagerty called the SEC on its own turf, saying that if this mishap had been caused by an actor on the other side of the fence, the agency would naturally call for an investigation.
“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened. This is unacceptable."
Related: Bitcoin ETF decision unlikely to be delayed due to SEC hack: Commentators
U.S. Senator Cynthia Lumiss added her voice to the fray, demanding transparency into "fraudulent announcements."
X's owner and Tesla CEO Elon Musk also took the opportunity to push back on an earlier claim made on CNBC that the SEC hack was a result of X’s own internal systems being breached.
That’s how the legacy media runs
— Elon Musk (@elonmusk) January 10, 2024
“That’s how legacy media runs,” said Musk. Earlier he suggested that the SEC password was "LFGDogeToTheMoon."
Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks
