Yesterday, the Securities and Exchange Commission (SEC) faced a significant security breach when its official Twitter account, @SECGov, was hijacked. The incident, confirmed by Twitter’s Safety team, was the result of a SIM-swap attack. This sophisticated method involved an unidentified individual gaining control over the phone number linked to the SEC’s Twitter account, enabling them to bypass security measures.
Twitter clarified that the compromise did not stem from a breach of their systems. Instead, the hacker targeted a third party to obtain control of the phone number associated with @SECGov. The exact identity of the third party remains undisclosed. However, it appears the attacker persuaded a cellular provider to transfer the SEC’s phone number to a new SIM card, effectively granting them access to the account.
A crucial factor in this security lapse was the absence of two-factor authentication on the @SECGov account at the time of the attack. This oversight made the account more vulnerable to unauthorized access. SIM-swap attacks pose a significant threat as they can redirect password-reset codes sent via SMS to the attacker’s phone, leading to unauthorized account access.
This incident isn’t an isolated one. High-profile individuals and organizations have previously fallen victim to similar attacks, including former Twitter CEO Jack Dorsey in 2019.
The ramifications of the attack were immediately evident in the financial markets. The hacker used the @SECGov account to falsely announce that the SEC had approved Bitcoin ETFs (Exchange-Traded Funds) for all national securities exchanges. This announcement led to a temporary surge in Bitcoin’s value, followed by a sharp decline after SEC Chair Gary Gensler alerted the public about the account compromise.
This breach not only caused market disruption but also brought embarrassment to the SEC. This is particularly poignant given that Gary Gensler had previously urged the public to use multi-factor authentication in October. In the wake of the attack, US lawmakers are now seeking explanations for the security failure, highlighting the increasing concerns over digital security in governmental agencies.