The US Securities and Exchange Commission (SEC) has revealed more details about the recent hack of its social media accounts, including some somewhat embarrassing details about how the attack was possible.
The SEC However, the announcement was removed 20 minutes later and the SEC announced that his X account had been compromised.
Now the SEC has announced that not only was multi-factor authentication (MFA) not enabled on the account, but the account was also compromised during a SIM swap attack.
SEC has eliminated its own MFA
In a rackthe SEC revealed that hackers were able to gain access to the account through a SIM swap attack, in which a hacker gains control of a phone number by tricking carriers into transferring control of the phone number to the hacker’s device. This allowed them to access all incoming text messages and calls to the target device.
This allowed the hacker to reset the SEC The SEC announced later the same day that, although the original announcement was indeed false, they had actually approved Bitcoin ETFs.
In a statement, the SEC said: “Two days after the incident, the SEC, in consultation with the SEC’s telecommunications provider, determined that the unauthorized party obtained control of the SEC’s mobile phone number associated with the account in a apparent ‘SIM swap’ attack. .”
The SEC had contacted X to disable multi-factor authentication because it was causing problems when attempting to log in. If the security measure had been enabled on the account, the hackers would not have been able to access the SECGov account.
Speaking to Ny Breaking, Dr. Ilia Kolochenko, CEO and Chief Architect at ImmuniWeb and Adjunct Professor of Cybersecurity and Cyber Law at Capital Technology University commented: “It’s another timely reminder that 2FA via SMS is susceptible to interception and will be replaced by more robust 2FA mechanisms, for example OTP via mobile app.
“While the hack of the SEC’s X account is a minor security incident, all government agencies will review the security of their social networking accounts. An SEC account breach may cause market volatility for a short period of time, but a message on
Through BleepingComputer