(Web Desk) - An unknown attacker was able to steal control of the US Securities and Exchange Commission’s X account in early January because the SEC had disabled a critical cybersecurity protection, the agency admitted. The new details about the Jan. 9 X account hack — which led to a viral hoax message about the SEC approving exchange-traded funds for bitcoin — raise questions about the SEC’s cybersecurity posture and its ability to thwart malicious actors intent on sowing chaos in U.S. financial markets.
The SEC last June asked X to disable a security feature known as multi-factor authentication (MFA) which adds an extra login step on top of the traditional password— after agency employees had “issues accessing the account,” according to a new SEC statement.
“Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” the agency said.
MFA requires users to quickly input a regularly changing numerical code after they enter their password, making it extremely difficult for a hacker to commandeer an account.
But with MFA disabled on the SEC’s X account, the only thing standing protecting it was a simple password.
And according to the SEC’s new statement, the hackers —who have yet to be publicly identified— were able to reset that password using a sophisticated trick.
X, like other social networks, allows a person to reset their account’s password by entering a code they receive through a text message.
To breach the SEC’s account, the hackers somehow figured out which phone number was tied to the account and convinced the wireless carrier controlling that phone number to transfer it to a phone they controlled.
This process is known as “SIM swapping,” because carriers associate phone numbers with SIM cards installed in cell phones. After hijacking the SEC X account’s phone number, the hackers had X text them a password-reset code, giving them control of the account.