SEC did not have 2FA enabled: X safety team on fake Bitcoin ETF post

The SEC’s false Bitcoin ETF approval post that rocked crypto markets occurred as a result of a SIM swap attack.
Tom Mitchelhill
Posted by Tom Mitchelhill January 10, 2024 3 Mins Read
The SEC’s false Bitcoin ETF approval post that rocked crypto markets occurred as a result of a SIM swap attack.

The safety team at X (formerly Twitter) has revealed that the United States Securities and Exchange Commission (SEC) did not have two-factor authentication (2FA) enabled on its main X account, allowing a hacker to gain access to it. 

The embarrassing revelation for the SEC follows a security breach that rocked crypto markets today with a false approval of a spot Bitcoin (BTC) exchange-traded fund (ETF) from the SEC’s official account on the social media platform.

In a Jan. 10 post, X’s safety page wrote that the SEC hack occurred because an unidentified actor gained control of the phone number associated with the account and used that to gain access to SEC’s official X page. This is more commonly known as a SIM swap hack.

“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” wrote the X safety team.

“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”

A SIM swap hack is a form of identity theft where an attacker takes over a victim’s phone number, allowing them to access social media, bank and crypto accounts. 

In this case, the hacker is likely to have convinced a third-party telecommunications provider to hand over control of the phone number tied to the SEC’s account. If the hacker also knew the correct email address used to sign into the account, they could use the phone number to reset the SEC’s official account password and gain access. 

Blockchain sleuth ZachXBT took the opportunity to repackage SEC Chair Gary Gensler’s own previous advice on social media security in a humorous comment made in response to the original X safety post. 

United States Senators J.D. Vance and Thom Tillis penned a letter to Gensler on Jan. 9, lashing the agency for its lack of operational security and asking for an explanation for the incident within the next four days.

“These developments raise serious concerns regarding the Commission’s internal cybersecurity procedures and are antithetical to the Commission’s tripart mission to protect investors,” wrote the letter. 

Vance and Thillis' letter joined a growing roster of calls for transparency on the matter, with several members of Congress also demanding an official investigation into the incident. U.S. Senator Bill Hagerty called the SEC on its own turf, saying that if this mishap had been caused by an actor on the other side of the fence, the agency would naturally call for an investigation. 

“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened. This is unacceptable.”

Related: Bitcoin ETF decision unlikely to be delayed due to SEC hack: Commentators

U.S. Senator Cynthia Lumiss added her voice to the fray, demanding transparency into “fraudulent announcements.”

X’s owner and Tesla CEO Elon Musk also took the opportunity to push back on an earlier claim made on CNBC that the SEC hack resulted from X’s own internal systems being breached. 

“That’s how legacy media runs,” said Musk. Earlier, he suggested that the SEC password was “LFGDogeToTheMoon.”

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks

Tags: