A US regulator has confirmed that its official X (previously Twitter) account was hijacked earlier this month after hackers had been in a position to take over the telephone quantity related to the account.
The Securities and Exchange Commission (SEC) revealed in an replace yesterday that the January 9 incident was attributable to a traditional SIM swap assault.
Once in command of the quantity, the hackers reset the password, enabling them to completely management the account.
“While multi-factor authentication (MFA) had beforehand been enabled on the @SECGov X account, it was disabled by X Support, on the employees’s request, in July 2023 because of points accessing the account,” the regulator continued.
“Once entry was re-established, MFA remained disabled till employees reenabled it after the account was compromised on January 9. MFA presently is enabled for all SEC social media accounts that provide it.”
Read extra on X account takeovers: NCSC: Twitter Users Should Find MFA Alternatives
While having MFA disabled is poor follow for a authorities physique, SIM swappers would nonetheless have been in a position to intercept a one-time passcode despatched by X to authenticate. That’s why senators have urged the SEC to make use of “phishing-resistant MFA” corresponding to authenticator apps.
The account itself was hijacked in early January to publish a faux announcement that the regulator had authorized the itemizing and buying and selling of Bitcoin exchange-traded funds (ETFs) on safety exchanges. In the tip, the SEC made the announcement for actual the next day.
SIM swapping sometimes occurs when a scammer manages to socially engineer a telco worker into porting a buyer’s telephone quantity to a tool below their management. On some events, they use malicious insiders working at telco carriers.