Identity, SSO/MFA

SEC blames SIM swap hack for Twitter account hijack

Share

The U.S. Securities and Exchange Commission confirmed that the hijacking of its X (Twitter) account was the result of a SIM swapping hack.

Hackers briefly gained control of the account on Jan. 9, posting a fake (or at least premature) announcement that the commission had approved Bitcoin futures exchange-traded funds (ETFs).

After the post, Bitcoin surged to a 19-month high before dropping nearly 6% after SEC staff used Chair Gary Gensler’s X account to break the news that the ETF announcement was bogus. Later the same week, however, the SEC did approve 11 ETF funds.

Immediately after the account takeover, security experts suspected a SIM swapping scam, especially after the SEC revealed that the unauthorized party had gained access “by obtaining control over the phone number associated with the account."

But it wasn’t until a Jan. 22 update on the incident that the commission confirmed a SIM swap attack was the apparent cause.

The SEC’s latest update also revealed multi-factor authentication (MFA), which would likely have prevented the hack, had been disabled on the account for several months.

“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack,” an SEC spokesperson said.

What is a SIM card attack?

SIM swapping, also called simjacking, is a type of cybercrime where a criminal tricks a wireless carrier into sending texts and calls to a rogue third-party phone or device. This allows a scammer to intercept password recovery and account verification codes.

Typically, SIM swapping attacks follow a compromised email account associated a wireless carrier. Criminals use the hijacked email account to request from a wireless carrier a SIM card transfer to new SIM card under the control of the hacker. Next, when a criminal logs into a victim's account protected by a multi-factor authentication (MFA) security measure, such as a bank or Twitter account, the "security code" is sent to the SIM card under the control of the criminal.  

In the case of the Jan. 9 attack, access to the phone number occurred via the telecom carrier, not through SEC systems, the spokesperson said.

“SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.”

Once the hacker had control of the phone they reset the SEC’s X password, a change that was most likely possible because MFA was not enabled on the account.

While MFA had previously been activated “it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the spokesperson said.

“Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it.

Law enforcement and federal oversight entities, including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the SEC’s Office of Inspector General, are continuing to investigate the breach. “Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account,” the SEC spokesperson said.

SEC blames SIM swap hack for Twitter account hijack

Commission staff requested MFA be deactivated on the account several months before it was compromised.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.