SEC’s account did not have 2-factor authentication: X security team
The attacker which is a third-party telecommunications provider into gaining control of the phone number associated with the @SECGov account.
- Tech News
- 2 min read

2-Factor Authentication: The safety team at X, formerly known as Twitter, has disclosed a security lapse involving the United States Securities and Exchange Commission (SEC). According to X's safety page, the SEC's main X account was compromised due to a SIM swap attack, facilitated by the absence of two-factor authentication (2FA). This breach led to a false endorsement of a spot Bitcoin exchange-traded fund (ETF) on the SEC's official X page, causing disruption in crypto markets.
A SIM swap attack involves an assailant taking control of a victim's phone number, subsequently gaining unauthorised access to various accounts, including social media and financial platforms. In this instance, the perpetrator likely coerced a third-party telecommunications provider into gaining control of the phone number associated with the @SECGov account.
With access to the phone number and potential knowledge of the corresponding email address, the hacker could reset the account password and gain entry.
Concerns over cybersecurity measures
The incident has elicited strong reactions from policymakers. Senators JD Vance and Thom Tillis addressed a letter to SEC Chair Gary Gensler, expressing concerns over the agency's lax cybersecurity measures.
Advertisement
They demanded an explanation within a four-day period, stating that the breach undermines the SEC's mandate to safeguard investors. Their missive joins a chorus of calls for transparency and accountability, with several congressional members advocating for an official investigation.
Furthermore, US Senator Bill Hagerty criticised the SEC's handling of the situation, highlighting the agency's swift action had the roles been reversed. Senator Cynthia Lumiss echoed this sentiment, urging transparency regarding "fraudulent announcements."
Advertisement
Meanwhile, Elon Musk, CEO of Tesla and owner of X, refuted claims attributing the breach to X's internal systems.