The US Securities and Exchange Commission (SEC) has revealed more details about the recent hack of its social media accounts, including some slightly embarrassing details about how the attack was possible.
The SEC However, the ad was removed 20 minutes later and the SEC announced that his X account had been compromised.
Now the SEC has announced that the account not only did not have multi-factor authentication (MFA) enabled, but was also breached in a SIM swapping attack.
The SEC disabled its own MFA
In a statement, the SEC revealed that hackers were able to access the account through a SIM swapping attack, in which a hacker gains control of a phone number by tricking carriers into transferring control of the phone number to the hacker's device. This gave them access to any and all incoming text messages and calls to the target device.
This allowed the hacker to reset the SEC Later that same day, the SEC announced that while the original announcement was false, they had actually approved Bitcoin ETFs.
In a statement, the SEC said: “Two days after the incident, in consultation with the SEC's telecommunications operator, the SEC determined that the unauthorized party gained control of the SEC's cell phone number associated with the account in an apparent 'SIM swapping' attack.”
The SEC had contacted X to disable multi-factor authentication as it was causing problems when trying to log in. If the security measure had been enabled on the account, the hackers would not have gained access to the SECGov account.
Speaking to TechRadar Pro, Dr. Ilia Kolochenko, CEO and Chief Architect of ImmuniWeb and Associate Professor of Cybersecurity and Cyber Law at Capital Technology University, commented: “It's another timely reminder that 2FA over SMS is susceptible to interception and should be replaced by more robust 2FA mechanisms, e.g. OTP via a mobile app.
“While the hack of SEC account a short period of time; however, a message in
Through beepcomputer
