Photo by Amelia Holowaty Krales / The Verge

The Securities and Exchange Commission has linked a SIM swapping attack to its account breach on X earlier this month, which led to the creation of a fake post announcing approval of Bitcoin ETFs that caused the cryptocurrency’s price to spike. In an update on Monday, the SEC says an “unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”

A SIM-swapping attack occurs when a bad actor obtains a victim’s phone number through techniques like social engineering. That allows the attacker to intercept calls and texts intended for the victim, including two-factor authentication codes, which they can then use to sign in to their victim’s accounts.

In the SEC’s case, a bad actor reset the password for its X account after gaining control of the phone number linked to it. While the SEC says multifactor authentication was previously enabled on the agency’s X account, it was “disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account.” The SEC only reenabled MFA after it realized its account was compromised on January 9th, and says it has MFA active on all of its other social media accounts that have the option.

The SEC says law enforcement is still investigating how the attacker found out which phone number it was using for its X account, and how they got the mobile carrier to swap SIMs.

Photo by Amelia Holowaty Krales / The Verge

The Securities and Exchange Commission has linked a SIM swapping attack to its account breach on X earlier this month, which led to the creation of a fake post announcing approval of Bitcoin ETFs that caused the cryptocurrency’s price to spike. In an update on Monday, the SEC says an “unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”

A SIM-swapping attack occurs when a bad actor obtains a victim’s phone number through techniques like social engineering. That allows the attacker to intercept calls and texts intended for the victim, including two-factor authentication codes, which they can then use to sign in to their victim’s accounts.

In the SEC’s case, a bad actor reset the password for its X account after gaining control of the phone number linked to it. While the SEC says multifactor authentication was previously enabled on the agency’s X account, it was “disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account.” The SEC only reenabled MFA after it realized its account was compromised on January 9th, and says it has MFA active on all of its other social media accounts that have the option.

The SEC says law enforcement is still investigating how the attacker found out which phone number it was using for its X account, and how they got the mobile carrier to swap SIMs.