US regulator admits cyber-security lapse before rogue Bitcoin post

Getty Images A person investing digitallyGetty Images

The US financial regulator has confirmed a key security procedure on its X account had been suspended for six months when hackers made a fake post about Bitcoin in January.

The cryptocurrency surged in value before the post was deleted.

The Securities and Exchange Commission (SEC) did not have multi-factor authentication (MFA) in place when hackers gained access to the account.

Cyber-security experts say it should be a wake-up call for other agencies.

"While the SEC's X account hack is a minor security incident, all governmental agencies should review the security of their social network accounts," said Ilia Kolochenko from cyber-firm ImmuniWeb.

He pointed out that a similar incident at a body such as the US Department of Defense could have more "devastating consequences".

"While MFA had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff's request, in July 2023 due to issues accessing the account," the SEC said in a statement.

"Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on January 9.

"MFA currently is enabled for all SEC social media accounts that offer it."

Sim-swapping attack

The SEC has confirmed the account was compromised by a fraudster convincing a mobile operator to transfer an SEC employee's phone number to a new Sim.

The employee who was targeted had their phone number associated with the SEC's account for X, formerly known as Twitter.

Because MFA had been suspended on the account, the hacker was able to reset the password, log in and make a post.

It announced the SEC had approved so-called exchange-traded funds (ETFs) for Bitcoin, which shot up in value to $48,000 (£37,800) before the post was withdrawn.

Though the SEC has subsequently confirmed the regulatory change, the cryptocurrency fell to just over $38,600 on Tuesday, its lowest value in 2024 so far.

In a Sim-swapping attack, typically a hacker will call a mobile phone operator claiming they have lost the phone they are targeting and need a new Sim card sent out to them.

Sometimes, the hackers will go into a store in person to carry out the con.

MFA is intended to protect against this kind of hack.

It takes many forms, including having a dedicated app that gives you a pin code for a website, as well as sending a text message, though this is considered less secure.

If the verification a person chooses is to receive a text confirming they are the user, a person who has gained access to their phone number will receive the text message instead.

Because of this, experts advise people to use a dedicated app for verification instead.