Jan 22, 2024 - Technology

SEC says "SIM swap" attack behind recent social media hack

Illustration of an anonymous hooded figure peeking out from behind an X app icon.

Illustration: Gabriella Turrisi/Axios

The U.S. Securities and Exchange Commission said in a statement Monday that a recent hack of its account on X, formerly known as Twitter, was the result of a hacker taking over the number tied to one of the agency's cell phones.

Why it matters: The details from the SEC's investigation provide fresh insights into how exactly a hacker was able to break into a top government agency's social media account and post untrue, market-moving information.

What they're saying: "Two days after the incident, in consultation with the SEC's telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," an SEC spokesperson said in a statement shared with reporters Monday.

  • "Access to the phone number occurred via the telecom carrier, not via SEC systems," the agency spokesperson added. "SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts."

Catch-up quick: A hacker hijacked the SEC's X account on Jan. 9 and sent a false tweet claiming national exchanges were approved at the time to list Bitcoin ETFs.

  • X later said that the SEC's account did not have multi-factor authentications (MFA) activated at the time of the account takeover — removing another level of security from the account.

How it works: SIM swapping has become a go-to, simple hacking tactic.

  • In this scenario, hackers convince a telecom carrier to switch a mobile phone number to a SIM card that the hacker has.
  • After gaining control of the phone number, the hacker then can use that to change the passwords for accounts associated with that phone number.

Details: This is what happened in the SEC's case, according to the spokesperson.

  • Law enforcement is still investigating how the hacker tricked the unidentified telecom carrier to change the SIM for the account and how they knew which phone number to target.

Of note: The SEC also said that it asked X to turn off multi-factor authentication for its account in July "due to issues accessing the account."

  • "Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9," the spokesperson said. "MFA currently is enabled for all SEC social media accounts that offer it."
  • The July request happened after X changed its policies and made text-based MFA — where users receive a code via text to log into their accounts — a paid feature.

The big picture: Several hacking groups have started taking advantage of insecurities around users' passwords and phone numbers.

  • Because most people use SMS-based MFA, if they even use it at all, SIM swap attacks have become even more popular.
  • Hackers have leaned on these insecurities to break into Uber, MGM Resorts, Clorox and other major companies in recent years.
  • The Federal Communications Commission recently adopted new rules for telecom providers, which take effect in June, aimed at cracking down on SIM swapping attacks.

What we're watching: Federal investigators have yet to identify who was behind the hack of the SEC's account.

Go deeper