The Securities and Exchange Commission has linked a SIM swapping attack to its account breach on X earlier this month, which led to the creation of a fake post announcing approval of Bitcoin ETFs that caused the cryptocurrency’s price to spike. In an update on Monday, the SEC says an “unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”
A SIM-swapping attack was behind the SEC’s fake Bitcoin post
The SEC says a bad actor gained control of the phone number associated with its X account.
The SEC says a bad actor gained control of the phone number associated with its X account.
Photo by Amelia Holowaty Krales / The Verge
is a news writer who covers the streaming wars, consumer tech, crypto, social media, and much more. Previously, she was a writer and editor at MUO.
A SIM-swapping attack occurs when a bad actor obtains a victim’s phone number through techniques like social engineering. That allows the attacker to intercept calls and texts intended for the victim, including two-factor authentication codes, which they can then use to sign in to their victim’s accounts.
In the SEC’s case, a bad actor reset the password for its X account after gaining control of the phone number linked to it. While the SEC says multifactor authentication was previously enabled on the agency’s X account, it was “disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account.” The SEC only reenabled MFA after it realized its account was compromised on January 9th, and says it has MFA active on all of its other social media accounts that have the option.
The SEC says law enforcement is still investigating how the attacker found out which phone number it was using for its X account, and how they got the mobile carrier to swap SIMs.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
