SEC says multi-factor authentication had been turned off in run-up to false X post about bitcoin ETF approval
Quick Take
- An SEC spokesperson provided an update on Monday on how a phony post was able to go out on its X account earlier this month.
- The agency’s MFA had been disabled over the summer and remained disabled until that post went out, the spokesperson said.
The Securities and Exchange Commission said Monday that multi-factor authentication on its X account had been disabled in the run-up to a false post earlier this month before spot bitcoin ETFs had been formally approved.
"While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account," the SEC said in a statement on Monday. "Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9."
MFA is enabled now for all SEC social media accounts that offer it, the agency's spokesperson added.
X confirmed in a post on Jan. 9 that the SEC's X account was compromised, as someone obtained control over a phone number associated with the account. The platform's security team noted that the SEC did not set up two-factor authentication for its account when it was compromised.
The agency's lack of MFA garnered criticism from some in Washington D.C., who have called for an investigation into the matter.
'Sim Swap'
The SEC said Monday that an "unauthorized party" obtained control of an SEC cell phone number associated with the account in an apparent "SIM swap" attack. SIM swapping is a technique used to transfer someone's phone number to another device without authorization, they added.
"Access to the phone number occurred via the telecom carrier, not via SEC systems," the spokesperson said. "SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts."
After getting control of the phone number, the unauthorized party reset the password for the SEC's X account, the spokesperson said on Monday.
"Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account," the spokesperson said.
The SEC spokesperson also said the agency's staff is continuing to work with the SEC's Office of Inspector General, the FBI, the Commodity Futures Trading Commission, the Department of Justice, among other law enforcement entities.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
