Summary
The Securities and Exchange Commission (SEC) disabled multi-factor authentication (MFA) on its X account, which was compromised earlier this month. The SEC stated that MFA was disabled in July 2023 due to access issues and remained disabled until the account was compromised. MFA is now enabled for all SEC social media accounts. The SEC confirmed that an unauthorized party obtained control of an SEC cell phone number through a SIM swap attack. The agency’s lack of MFA has drawn criticism, and an investigation is being called for. The SEC is working with law enforcement entities to investigate the incident.
Key Points
1. The Securities and Exchange Commission disabled multi-factor authentication on its X account, which led to a false post about spot bitcoin ETFs being approved. The disabling of MFA was done by X Support in July 2023 due to issues accessing the account.
2. The SEC’s lack of multi-factor authentication for its social media accounts, including the compromised X account, received criticism and calls for an investigation.
3. The unauthorized party gained control of an SEC cell phone number associated with the account through a SIM swap attack, where someone transfers a phone number to another device without authorization. The SEC clarified that the access to the phone number occurred via the telecom carrier and not through SEC systems. Law enforcement is currently investigating the incident.