US SEC X account hacker hijacked staffer phone number, agency says

A HACKER hijacked a United States Securities and Exchange Commission (SEC) staffer’s phone number to make a fake social media post earlier this month, according to the regulator. The post prematurely claimed that the SEC had approved a spot Bitcoin exchange-traded fund to trade in the US.

The SEC said on Monday (Jan 22) that an unnamed person changed the password for the agency’s account after gaining control of an agency employee’s phone number to make the false post on Jan 9. The message, which was later deleted, caused a brief surge in the price of the world’s biggest cryptocurrency. The agency ultimately did approve almost a dozen of the products the following day.

In its most detailed statement yet on US authorities’ ongoing probe into the incident, the SEC said that an employee’s phone was targeted in a “SIM swap” attack through the agency’s telecom carrier. That attack enabled the hacker to seize control of the agency’s account on X, formerly Twitter.

“SEC staff have not identified any evidence that the unauthorised party gained access to SEC systems, data, devices, or other social media accounts,” the agency said.

The US Justice Department, FBI, the Department of Homeland Security’s cyber unit, the Commodity Futures Trading Commission, and the SEC’s inspector general and enforcement division all continue to investigate the incident, the agency said.

The SEC also said that multifactor authentication of its X account was disabled last July and was not re-enabled until after the incident. Multifactor authentication is now enabled on all of the SEC social media accounts that offer it, according to the regulator. BLOOMBERG