SEC blames sim-swapping, lack of MFA for X account hijacking | CyberScoop<\/title> <meta name=\"description\" content=\"Multifactor authentication was disabled at the SEC\u2019s request last year after staff had difficulties accessing the social media account.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/sec-x-twitter-bitcoin\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"SEC blames sim-swapping, lack of MFA for X account hijacking\"> <meta property=\"og:description\" content=\"Multifactor authentication was disabled at the SEC\u2019s request last year after staff had difficulties accessing the social media account.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/sec-x-twitter-bitcoin\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-01-22T22:46:33+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1272\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"eliasgroll\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1701905043g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1705595524g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1705882623g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/78873\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=78873\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsec-x-twitter-bitcoin%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsec-x-twitter-bitcoin%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-78873 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/sec-x-twitter-bitcoin\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.09387755102\">\n<div class=\"single-article__header-content\" readability=\"29.512195121951\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Multifactor authentication was disabled at the SEC\u2019s request last year after staff had difficulties accessing the social media account. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"424\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking.jpg?resize=640%2C424&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=300,199 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=768,509 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=1024,678 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=1536,1018 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=600,398 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=254,168 254w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=509,337 509w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=1019,675 1019w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-2.jpg?resize=1272,843 1272w\" sizes=\"(max-width: 1019px) 100vw, 1019px\"><figcaption> In this photo illustration, a visual representation of the digital cryptocurrency Bitcoin is displayed in front of Securities and Exchange Commission (SEC) logo on January 10, 2024 in Paris, France. (Photo illustration by Chesnot\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"27.08940397351\"><body readability=\"55.854166666667\"><\/p>\n<p>The Securities and Exchange Commission confirmed Monday that a hack of the agency\u2019s account on the social media site X earlier this month was done through an \u201capparent SIM swap attack\u201d and that the account did not have multifactor authentication enabled.<\/p>\n<p>According to a <a href=\"https:\/\/www.sec.gov\/secgov-x-account\">statement from the agency<\/a>, an internal investigation following the Jan. 9 account hijacking determined that an unauthorized party had obtained control of a phone number associated with the SEC\u2019s X account through the agency\u2019s telecommunications carrier. <\/p>\n<p>Sim-swapping involves gaining control of a cellular phone number by convincing a mobile carrier to transfer a number to a sim card controlled by the attacker. Once the attacker controls the victim\u2019s phone number, they can use that phone number to reset the password of accounts belonging to the victim.<\/p>\n<p>Having gained control of the number associated with the agency\u2019s account, the swapper reset the SEC\u2019s password on X, giving them access to the agency\u2019s account. The investigation was carried out by the SEC Office of Inspector General, the FBI, the Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice and the SEC\u2019s enforcement division.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cAmong other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.\u201d<\/p>\n<p>The statement also confirmed initial public comments <a href=\"https:\/\/cyberscoop.com\/after-hack-x-claims-sec-failed-to-use-two-factor-authentication\/\">from X<\/a> that the SEC account in question had disabled multifactor authentication. The agency said the account was \u201cdisabled by X support, at the staff\u2019s request, in July 2023 due to issues accessing the account.\u201d<\/p>\n<p>The agency said it now has multifactor authentication enabled \u201cfor all SEC social media accounts that offer it.\u201d<\/p>\n<p>According to a transparency <a href=\"https:\/\/transparency.twitter.com\/en\/reports\/account-security.html#2021-jul-dec\">report<\/a> around account security published by Twitter\/X covering the last half of 2021, two-factor authentication is rarely leveraged by users and when it is most accounts opt for the least secure method. Just 2.6% of accounts between July-December 2021 utilized two-factor authentication, and of those who did, nearly three out of four (74%) chose to verify through SMS or texts. <\/p>\n<p>Cybersecurity experts say that while SMS-based authentication is better than nothing, it is more vulnerable to sim-swapping and social engineering than other factors like email or a security key. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Twitter <a href=\"https:\/\/blog.twitter.com\/en_us\/topics\/company\/2023\/an-update-on-twitter-transparency-reporting\">stopped publishing<\/a> formal biannual transparency reports at the beginning of 2022. Last year, new owner Elon Musk\u2019s changes to the platform included the disabling of SMS multifactor authentication as an option for non-paying accounts.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"0.34090909090909\">\n<div class=\"author-card\" readability=\"7\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/sec-x-twitter-bitcoin\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SEC blames sim-swapping, lack of MFA for X account hijacking<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1355,282,117,1396,1324,608],"tags":[1357,286,119,1397,1326,611],"class_list":["post-2404","post","type-post","status-publish","format-standard","hentry","category-bitcoin","category-cybercrime","category-government","category-multi-factor-authentication-mfa","category-securities-and-exchange-commission-sec","category-twitter","tag-bitcoin","tag-cybercrime","tag-government","tag-multi-factor-authentication-mfa","tag-securities-and-exchange-commission-sec","tag-twitter"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bitcoin\/\" rel=\"category tag\">bitcoin<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/multi-factor-authentication-mfa\/\" rel=\"category tag\">multi-factor authentication (MFA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/securities-and-exchange-commission-sec\/\" rel=\"category tag\">Securities and Exchange Commission (SEC)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/twitter\/\" rel=\"category tag\">Twitter<\/a>","tag_info":"Twitter","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2404"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2404\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2404,"date":"2024-01-22T22:46:33","date_gmt":"2024-01-22T22:46:33","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78873"},"modified":"2024-01-22T22:46:33","modified_gmt":"2024-01-22T22:46:33","slug":"sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/22\/sec-blames-sim-swapping-lack-of-mfa-for-x-account-hijacking\/","title":{"rendered":"SEC blames sim-swapping, lack of MFA for X account hijacking"},"content":{"rendered":"