SEC says X account hack was due to SIM swapping

An “unauthorized party” hijacked the cell phone number of the person running the SEC’s X account before taking over the social media feed and posting messages.

In a statement on Monday, an SEC spokesperson explained that two days after the January 9 account takeover, the government agency spoke to its telecom carrier and discovered that someone “obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”

SIM swapping — where scammers transfer a person’s phone number to another device under their control — continues to be one of the most pernicious cybercrime tactics.

“Access to the phone number occurred via the telecom carrier, not via SEC systems. SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts,” the spokesperson said.

“Once in control of the phone number, the unauthorized party reset the password for the @SECGov account. Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.”

The SEC said multifactor authentication was enabled on the X account but “it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account.”

The agency reinstated multifactor authentication on January 9 after the account was taken back.

The spokesperson added that the SEC continues to work with several law enforcement agencies on the investigation, including the FBI, Justice Department, the Cybersecurity and Infrastructure Security Agency and others.

The SEC's new comments corroborate a statement from X last week that said blame for the incident should not be placed on the social media company’s shoulders.

The incident has caused outrage among lawmakers, who last week demanded answers from SEC Chairman Gary Gensler.

Whoever took over the account tweeted a message claiming the commission granted approval for bitcoin exchange-traded funds (ETFs) to be listed on national securities exchanges. Last week, the agency actually did approve the listing of such funds.