📣 SEC Confirms: MFA Deactivation Led to Security Breach
posted 23 Jan 2024
The U.S. Securities and Exchange Commission (SEC) has confirmed that an attacker gained unauthorized access to its X account through a SIM swap attack.
The exact methods used by the attacker to persuade the phone operator to change the SIM card linked to the account, and how they determined the associated phone number, remain unclear.
The hacker published a message about the approval of spot Bitcoin ETFs on January 9, 2024, a day before the official announcement.
It was revealed that the SEC's account lacked multi-factor authentication (MFA) enabled. In July 2023, an SEC staff member requested X support to disable MFA, citing access issues. The MFA feature was only enabled after the account compromise was discovered.
Interestingly, despite SEC Chairman Gary Gensler's prior recommendations on account security, it appears that the SEC itself had not adhered to this advice.