The U.S. Securities and Exchange Commission said on Monday that a SIM swap attack was to blame for the breach of its official account on X, formerly known as Twitter, earlier this month.
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack,” an SEC spokesperson said in a statement.
A SIM swap is when a phone number is transferred to another device without the permission of the owner, allowing the bad actor to receive SMS messages and voice calls intended for the victim.
With access to the phone number, the unidentified individual then reset the account password. Since the SEC did not have two-factor authentication enabled, the SIM swap and subsequent password change were the only two steps necessary to gain full access to the agency’s account.
“While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said in the statement.
“Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” the statement continued. “MFA currently is enabled for all SEC social media accounts that offer it.”
The agency had the ability to switch two-factor authentication back on for their X account and was not reliant on X to do so.
X owner and Chief Technology Officer Elon Musk mocked the SEC, an agency he has clashed with for years, after its account on X was breached. Musk also retweeted a post from Twitter Safety following the incident, which said the compromise “was not due to any breach of X’s systems.”
X didn’t immediately respond to CNBC’s questions about whether the platform has continued to cooperate with investigators, or whether the company plans to change its design or any features associated with government agency accounts in response to the SEC account breach.
Cybersecurity expert Chris Pierson tells CNBC that SIM swap attacks have become a much bigger security threat for government agencies and corporations.
“Originally, these attacks flourished as a means for criminals to hijack an individual’s cryptocurrency wallet or account, but they’re now being weaponized by other criminal actors and nation-states for a much wider range of uses,” said Pierson, a former member of the Department of Homeland Security’s Cybersecurity Subcommittee and Privacy Committee.
There’s also been a growing number of targeted takeovers of influential social media accounts for pump-and-dump stock schemes, to inflict reputational damage and to spread disinformation, added Pierson, who is now CEO of cybersecurity and digital privacy protection company BlackCloak.
“While this is becoming a more serious problem, with more organized and sophisticated actors, we’re still seeing many agencies and companies continue to make basic mistakes with the security of these accounts,” he said.
The SEC said there was no evidence the unauthorized party gained access to the agency’s systems, data, devices or other social media accounts. Instead, the SEC said that “access to the phone number occurred via the telecom carrier” and that law enforcement is still investigating both how this individual “got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.”
The SEC said it’s continuing to work with multiple law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice and the SEC’s own Division of Enforcement.