On January 10, the US Securities and Exchange Commission (SEC) saw its X account hacked for a brief time, with a post claiming it has approved listings for Bitcoin exchange-traded funds (ETFs).

SEC Chair Gary Gensler later clarified in a post on his X account that the agency’s account was “compromised, and an unauthorized tweet was posted”.

Today, the US Securities and Exchange Commission (SEC) provided an update on the incident, stating that an unauthorized party gained control of the SEC cell phone number associated with the account through an apparent ‘SIM swap.

SIM swapping is a technique used to transfer a person’s phone number to another device without authorization, allowing the unauthorized party to begin receiving voice and SMS communications associated with the number.

Buy Me A Coffee

“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent “SIM swap” attack. SIM swapping is a technique used to transfer a person’s phone number to another device without authorization, allowing the unauthorized party to begin receiving voice and SMS communications associated with the number. Access to the phone number occurred via the telecom carrier, not via SEC systems. SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.”

SEC spokeperson says.

“Once in control of the phone number, the unauthorized party reset the password for the @SECGov account. Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.”

The SEC says law enforcement is still investigating how the attacker found out which phone number it was using for its X account, and how they got the mobile carrier to swap SIMs.

READ
FBI: Akira Ransomware Responsible for $42 Million in Losses, 250+ Breaches