SEC Admits Multi-Factor Security Disabled Before Fake Bitcoin Post

A hacker was able to take control of a phone number associated with the US Security and Exchange Commission’s (SEC) official account on X, formerly Twitter, in order to make a premature announcement earlier this month that caused the price of cryptocurencies to skyrocket, the agency said.

The 9 January post on X said the SEC had approved the first spot Bitcoin exchange traded funds (ETFs), causing the price of Bitcoin to skyrocket to $48,000 (£38,000) before the post was removed.

The agency officially confirmed the approval of Bitcoin spot ETFs a day later, but as of Tuesday Bitcoin’s price remained in the doldrums at around $38,000, its lowest value so far this year.

Bitcoin surged in value during the fourth quarter of 2023 from around $26,000 to around $42,000 at the end of December as investors anticipated the approval of ETFs, which allow a broader range of investors to buy products linked to Bitcoin’s price without directly investing in the token.

SEC chair Gary Gensler. Image credit: SEC

SIM swap

Previously only Bitcoin futures ETFs had been approved by the regulator.

The SEC said late on Monday the phone number associated with its X account had been transferred to a different phone using a SIM swap hack, in which a telecoms carrier is tricked into transferring a number to a device under the hacker’s control.

The hacker can then create a new password and authenticate the process via a message sent to the phone number.

The SEC said it is still investigating how the trick was carried out and how the attacker discovered the number was associated with the account.

Image credit: Pexels

MFA disabled

It said multi-factor authentication (MFA), which requires an additional layer of security, such as a dedicated app, had been disabled for six months at the time of the hack at the SEC’s request.

“While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said in a post on X.

“Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9.”

MFA is currently enabled for all SEC social media accounts that offer it, the agency said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

21 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

22 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

23 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago