- The United States Securities and Exchange Commission (SEC) faced a major security breach as hackers exploited the absence of two-factor authentication (2FA) on its official X account, leading to a false approval of a Bitcoin ETF.
- U.S. Senators called out the SEC’s lack of operational security, demanding accountability and transparency, while X’s safety team clarified that the breach wasn’t due to X’s systems but rather a SIM swap hack facilitated by the compromised 2FA.
In a shocking revelation, X’s (formerly Twitter) safety team exposed a critical security lapse at the United States Securities and Exchange Commission (SEC). The SEC’s official X account lacked two-factor authentication (2FA), opening the door for a hacker to exploit the vulnerability and post a fake approval of a spot Bitcoin exchange-traded fund (ETF).
On January 10, X’s safety team disclosed that the breach occurred due to an unidentified actor executing a SIM swap hack – gaining control of the phone number associated with the @SECGov account through a third party. The absence of 2FA on the compromised account further amplified the severity of the situation, emphasizing the importance of robust security measures.
A SIM swap hack involves identity theft, where an attacker takes over the victim’s phone number, providing access to various accounts, including social media, banks, and cryptocurrencies. In this case, the hacker likely convinced a third-party telecommunications provider to hand over control of the SEC’s account phone number.
The revelation prompted swift action from U.S. Senators J.D. Vance and Thom Tillis, who penned a letter to SEC Chairman Gensler, criticizing the agency’s operational security and demanding an explanation within four days. The letter raised concerns about the SEC’s cybersecurity procedures, highlighting the contradiction with its mission to protect investors.
The incident ignited a call for transparency and an official investigation from several members of Congress. U.S. Senator Bill Hagerty emphasized the need for accountability, drawing parallels to how the SEC would demand answers from a public company for a market-moving mistake.
U.S. Senator Cynthia Lumiss joined the chorus, demanding transparency into what she termed “fraudulent announcements.” The mounting pressure also caught the attention of X’s owner and Tesla CEO Elon Musk, who refuted claims that the hack originated from X’s internal systems being breached, pushing back against an earlier CNBC report.
As the fallout continues, the SEC faces intensified scrutiny over its cybersecurity practices. The absence of 2FA on a critical account underscores the importance of implementing robust security measures in regulatory bodies, especially in the digital age where cyber threats loom large. The incident serves as a stark reminder for organizations to prioritize cybersecurity to safeguard against malicious actors and protect the integrity of financial markets.