The Securities and Exchange Commission confirmed Monday that a hack of the agency’s account on the social media site X earlier this month was done through an “apparent SIM swap attack” and that the account did not have multifactor authentication enabled.
According to a statement from the agency, an internal investigation following the Jan. 9 account hijacking determined that an unauthorized party had obtained control of a phone number associated with the SEC’s X account through the agency’s telecommunications carrier.
Sim-swapping involves gaining control of a cellular phone number by convincing a mobile carrier to transfer a number to a sim card controlled by the attacker. Once the attacker controls the victim’s phone number, they can use that phone number to reset the password of accounts belonging to the victim.
Having gained control of the number associated with the agency’s account, the swapper reset the SEC’s password on X, giving them access to the agency’s account. The investigation was carried out by the SEC Office of Inspector General, the FBI, the Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice and the SEC’s enforcement division.
“Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.”
The statement also confirmed initial public comments from X that the SEC account in question had disabled multifactor authentication. The agency said the account was “disabled by X support, at the staff’s request, in July 2023 due to issues accessing the account.”
The agency said it now has multifactor authentication enabled “for all SEC social media accounts that offer it.”
According to a transparency report around account security published by Twitter/X covering the last half of 2021, two-factor authentication is rarely leveraged by users and when it is most accounts opt for the least secure method. Just 2.6% of accounts between July-December 2021 utilized two-factor authentication, and of those who did, nearly three out of four (74%) chose to verify through SMS or texts.
Cybersecurity experts say that while SMS-based authentication is better than nothing, it is more vulnerable to sim-swapping and social engineering than other factors like email or a security key.
Twitter stopped publishing formal biannual transparency reports at the beginning of 2022. Last year, new owner Elon Musk’s changes to the platform included the disabling of SMS multifactor authentication as an option for non-paying accounts.