The Securities and Change Fee has linked a SIM swapping attack to its account breach on X earlier this month, which led to the creation of a fake post announcing approval of Bitcoin ETFs that prompted the cryptocurrency’s worth to spike. In an update on Monday, the SEC says an “unauthorized occasion obtained management of the SEC cellular phone quantity related to the account in an obvious ‘SIM swap’ attack.”
A SIM-swapping attack happens when a nasty actor obtains a sufferer’s cellphone quantity by strategies like social engineering. That enables the attacker to intercept calls and texts meant for the sufferer, together with two-factor authentication codes, which they will then use to register to their sufferer’s accounts.
In the SEC’s case, a nasty actor reset the password for its X account after gaining management of the cellphone quantity linked to it. Whereas the SEC says multifactor authentication was beforehand enabled on the company’s X account, it was “disabled by X Help, at the workers’s request, in July 2023 as a result of points accessing the account.” The SEC solely reenabled MFA after it realized its account was compromised on January ninth, and says it has MFA energetic on all of its different social media accounts which have the choice.
The SEC says regulation enforcement continues to be investigating how the attacker came upon which cellphone quantity it was utilizing for its X account, and the way they acquired the cellular service to swap SIMs.