How did a hacker who used a SIM-swap attack to gain control of a phone number associated with the @SECGov account gain access to the Securities and Exchange Commission’s Twitter account?
Twitter’s Security team clarified that the account compromise was not the result of a breach in Twitter’s systems, but was done by an unidentified individual who gained control of a phone number associated with the @SECGov account through a third party.
- CES 2024: How about controlling your home with your hand gestures?
- Chrome’s incognito mode is not incognito?
Twitter also confirmed that the compromised account did not have two-factor authentication enabled at the time.
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…
— Safety (@Safety) January 10, 2024
The company didn’t identify the third party. But it looks like the hacker learned which phone number was registered to @SECGov. They then probably manipulated a cellular provider into giving up access to the phone number via a SIM swap. In these scenarios, the carrier clones the mobile phone number to a new SIM card, which is then placed in the hacker’s phone.
SIM-swapping attacks can be devastating since many online accounts will send password-reset codes to the owner’s mobile phone number. This has allowed cybercriminals to take over cryptocurrency accounts, as well as Twitter accounts. In 2019, former Twitter CEO Jack Dorsey suffered a SIM swap that resulted in hackers posting racist comments on his account.
Tuesday’s hijacking of the SEC’s account shows that SIM-swapping attacks are more than just PR headaches. The hacker used @SECGov to fraudulently claim that the federal regulator had cleared Bitcoin ETFs (Exchange-Traded funds) for all national securities exchanges. This sent the price of Bitcoin soaring on Tuesday. But the value abruptly plummeted after SEC Chair Gary Gensler warned the public that the @SECGov account had been compromised.
The @SECGov twitter account was compromised, and an unauthorized tweet was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
— Gary Gensler (@GaryGensler) January 9, 2024
The hijacking has since caused embarrassment for the SEC, especially since Gensler himself published a tweet back in October urging users to implement multi-factor authentication. At the same time, US lawmakers are demanding answers for how the hack occurred
