The X Safety team disclosed that the United States Securities and Exchange Commission (SEC) did not have two-factor authentication (2FA) enabled on its main X account, leading to a hacker gaining access through a SIM swap attack. The security breach resulted in a false confirmation of a spot Bitcoin ETF from the SEC’s official account on the social media platform. The SIM swap attack involved the hacker taking control of the phone number associated with the @SECGov account, allowing them to gain unauthorized access. The lack of 2FA on the compromised account was highlighted as a vulnerability.


Key Points:

  • Security Breach at SEC: The X Safety team revealed that the SEC's false confirmation of a spot Bitcoin ETF on X was the result of a SIM swap attack. The hacker gained control of the phone number associated with the @SECGov account, enabling unauthorized access.

  • Two-Factor Authentication Absence: X Safety's investigation found that the compromised SEC account did not have two-factor authentication (2FA) enabled at the time of the security breach. The absence of 2FA was identified as a contributing factor to the unauthorized access.

  • SIM Swap Attack Explanation: A SIM swap attack involves an attacker taking over a victim's phone number and gaining access to various accounts, including social media, bank, and crypto accounts. In this case, the hacker likely convinced a third-party telecommunications provider to transfer control of the SEC's account phone number.

  • Elon Musk's Response: X's owner, Elon Musk, responded to the incident and refuted an earlier claim that the SEC hack was a result of X's own internal systems being breached. Musk emphasized the importance of implementing cybersecurity measures, including 2FA.

  • Social Media Security Reminder: The incident prompted a humorous comment from blockchain sleuth ZachXBT, highlighting SEC Chair Gary Gensler's previous advice on social media security. Gensler's recommendations for securing social media accounts were revisited in response to the security breach.

Conclusion: The security breach at the SEC, resulting in a false Bitcoin ETF announcement on X, was attributed to a SIM swap attack facilitated by the absence of two-factor authentication (2FA) on the compromised account. The incident underscores the importance of implementing robust cybersecurity measures, including 2FA, to protect official accounts from unauthorized access. Elon Musk's response and the reminder of social media security practices emphasize the ongoing challenges of securing online platforms against various threats.


(TOM MITCHELHILL, COINTELEGRAPH, 2023)