A US regulator has confirmed that its official X (previously Twitter) account was hijacked earlier this month after hackers have been in a position to take over the telephone quantity related to the account.
The Securities and Trade Fee (SEC) revealed in an replace yesterday that the January 9 incident was brought on by a basic SIM swap assault.
“SIM swapping is a way used to switch an individual’s telephone quantity to a different machine with out authorization, permitting the unauthorized occasion to start receiving voice and SMS communications related to the quantity,” it defined.
“Entry to the telephone quantity occurred through the telecom provider, not through SEC programs. SEC workers haven’t recognized any proof that the unauthorized occasion gained entry to SEC programs, knowledge, units, or different social media accounts.”
As soon as in charge of the quantity, the hackers reset the password, enabling them to completely management the account.
“Whereas multi-factor authentication (MFA) had beforehand been enabled on the @SECGov X account, it was disabled by X Help, on the workers’s request, in July 2023 as a result of points accessing the account,” the regulator continued.
“As soon as entry was re-established, MFA remained disabled till workers reenabled it after the account was compromised on January 9. MFA presently is enabled for all SEC social media accounts that supply it.”
Learn extra on X account takeovers: NCSC: Twitter Customers Ought to Discover MFA Options
Whereas having MFA disabled is poor follow for a authorities physique, SIM swappers would nonetheless have been in a position to intercept a one-time passcode despatched by X to authenticate. That’s why senators have urged the SEC to make use of “phishing-resistant MFA” comparable to authenticator apps.
The account itself was hijacked in early January to publish a pretend announcement that the regulator had accepted the itemizing and buying and selling of Bitcoin exchange-traded funds (ETFs ) on safety exchanges. In the long run, the SEC made the announcement for actual the next day.
SIM swapping usually occurs when a scammer manages to socially engineer a telco worker into porting a buyer’s telephone quantity to a tool below their management. On some events, they use malicious insiders working at telco carriers.
“Amongst different issues, legislation enforcement is presently investigating how the unauthorized occasion received the provider to alter the SIM for the account and the way the occasion knew which telephone quantity was related to the account,” the SEC stated.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24383460/STK147_Riot_Games.jpg "Riot Games cuts more than 500 jobs")
