SEC Admits Two-Factor Authentication Was Disabled During X Account Compromise

According to Blockworks, the US Securities and Exchange Commission (SEC) has admitted that the two-factor authentication on its X account had been disabled since July 2023. The SEC's official X account was compromised earlier this month, allowing an unauthorized person to access the account and make a fake post announcing the approval of spot bitcoin ETFs. The post remained on the account for approximately 15 minutes before Chair Gary Gensler announced the SEC's account had been compromised. In a follow-up statement, the SEC revealed that X support asked the regulatory agency to disable the multi-factor authentication after the agency experienced difficulty accessing the account. The multi-factor authentication remained disabled until staff re-enabled it after the account was compromised on January 9. The SEC stated that multi-factor authentication is now enabled for all SEC social media accounts that offer it. The hacker gained access to the account through a SIM swap, which involves transferring a phone number to another device without authorization. The SEC clarified that access to the phone number occurred via the telecom carrier, not through SEC systems. The SEC staff have not found any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts. The regulatory body is working with the Federal Bureau of Investigations, Homeland Security, the US Department of Justice, and its own Division of Enforcement to track down the attacker. Law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.