- The SEC revealed multi-factor authentication was disabled on its Twitter account since July 2022 until an unauthorized tweet was posted in January.
- The SEC said an unauthorized party likely gained control through a SIM swap attack, resetting the password with a hijacked cell number tied to the account.
- The SEC is investigating the security lapse with law enforcement and enabling MFA on all accounts that offer it.
The SEC recently provided an update regarding how a false tweet about bitcoin ETF approval was posted from its Twitter account earlier this month. The agency revealed that multi-factor authentication had been disabled over the summer and remained off until the unauthorized tweet was posted.
Multi-Factor Authentication Was Turned Off
According to the SEC, multi-factor authentication (MFA) had previously been enabled on its @SEC_News Twitter account. However, it was disabled in July 2022 at the request of Twitter support due to issues accessing the account. After access was restored, MFA remained off until January 9th when the account was compromised.
The SEC spokesperson said MFA is now enabled for all of the agency’s social media accounts that offer it.
SIM Swap Attack Likely Enabled Account Takeover
The SEC said an unauthorized party likely obtained control of an SEC cell phone number associated with the account through a SIM swap attack. This involves transferring someone’s phone number to another device without authorization.
The spokesperson said the unauthorized party then used the hijacked number to reset the password and gain control of the SEC’s Twitter account. Law enforcement is investigating how the party executed the SIM swap and knew which number was tied to the account.
Ongoing Investigation Into Security Lapse
The SEC is continuing to work with its Office of Inspector General, the FBI, the CFTC, the DOJ and other law enforcement on the incident. The security lapse has drawn criticism from some in Washington D.C. calling for an investigation.
Conclusion
The SEC’s disclosure that multi-factor authentication was disabled for months leading up to the false tweet from its account raises questions around the agency’s security protocols. The investigation into how the unauthorized party carried out the attack is ongoing.
