SEC did not have 2FA enabled: X safety team on fake Bitcoin ETF post

The SEC’s false Bitcoin ETF announcement resulted from a SIM swap attack, says the official X safety team following a preliminary investigation.

The safety team at X (formerly Twitter) has revealed that the United States Securities and Exchange Commission (SEC) did not have two-factor authentication (2FA) enabled on its main X account, allowing a hacker to gain access to it. 

The embarrassing revelation for the SEC follows a security breach that rocked crypto markets today with a false approval of a spot Bitcoin (BTC) exchange-traded fund (ETF) from the SEC’s official account on the social media platform.

In a Jan. 10 post, X’s safety page wrote that the SEC hack occurred because an unidentified actor gained control of the phone number associated with the account and used that to gain access to SEC’s official X page. This is more commonly known as a SIM swap hack.

We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…

— Safety (@Safety) January 10, 2024

“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” wrote the X safety team.

“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”

A SIM swap hack is a form of identity theft where an attacker takes over a victim’s phone number, allowing them to access social media, bank and crypto accounts. 

In this case, the hacker is likely to have convinced a third-party telecommunications provider to hand over control of the phone number tied to the SEC’s account. If the hacker also knew the correct email address used to sign into the account, they could use the phone number to reset the SEC’s official account password and gain access. 

Blockchain sleuth ZachXBT took the opportunity to repackage SEC Chair Gary Gensler’s own previous advice on social media security in a humorous comment made in response to the original X safety post. 

Hi @GaryGensler this is a reminder to secure your financial accounts as well as protect against identity theft and fraud.

Remember to:
Use strong passphrases or passwords
Set up multifactor authentication
Keep account alerts turned on#CybersecurityAwarenessMonth pic.twitter.com/KBNOV3KhAJ

— ZachXBT (@zachxbt) January 10, 2024

United States Senators J.D. Vance and Thom Tillis penned a letter to Gensler on Jan. 9, lashing the agency for its lack of operational security and asking for an explanation for the incident within the next four days.

“These developments raise serious concerns regarding the Commission’s internal cybersecurity procedures and are antithetical to the Commission’s tripart mission to protect investors,” wrote the letter. 

BREAKING: Senators @JDVance1 & @SenThomTillis Demand Explanation For The SEC’s Errant Announcement Of The Approval Of Spot-Bitcoin ETFs

“It is unacceptable that the agency entrusted with regulating the epicenter of the world’s capital markets would make such a colossal error.” pic.twitter.com/xG77jM9xAM

— Senator Vance Press Office (@SenVancePress) January 10, 2024

Vance and Thillis’ letter joined a growing roster of calls for transparency on the matter, with several members of Congress also demanding an official investigation into the incident. U.S. Senator Bill Hagerty called the SEC on its own turf, saying that if this mishap had been caused by an actor on the other side of the fence, the agency would naturally call for an investigation. 

“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened. This is unacceptable.”

Related: Bitcoin ETF decision unlikely to be delayed due to SEC hack: Commentators

U.S. Senator Cynthia Lumiss added her voice to the fray, demanding transparency into “fraudulent announcements.”

X’s owner and Tesla CEO Elon Musk also took the opportunity to push back on an earlier claim made on CNBC that the SEC hack resulted from X’s own internal systems being breached. 

That’s how the legacy media runs

— Elon Musk (@elonmusk) January 10, 2024

“That’s how legacy media runs,” said Musk. Earlier, he suggested that the SEC password was “LFGDogeToTheMoon.”