SEC says multi-factor authentication had been turned off in run-up to false X post about bitcoin ETF approval

The Securities and Exchange Commission said Monday that multi-factor authentication on its X account had been disabled in the run-up to a false post earlier this month before spot bitcoin ETFs had been formally approved.  

"While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account," the SEC said in a statement on Monday. "Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9." 

MFA is enabled now for all SEC social media accounts that offer it, the agency's spokesperson added. 

X confirmed in a post on Jan. 9 that the SEC's X account was compromised, as someone obtained control over a phone number associated with the account. The platform's security team noted that the SEC did not set up two-factor authentication for its account when it was compromised. 

The agency's lack of MFA garnered criticism from some in Washington D.C., who have called for an investigation into the matter. 

'Sim Swap'

The SEC said Monday that an "unauthorized party" obtained control of an SEC cell phone number associated with the account in an apparent "SIM swap" attack. SIM swapping is a technique used to transfer someone's phone number to another device without authorization, they added. 

"Access to the phone number occurred via the telecom carrier, not via SEC systems," the spokesperson said. "SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts." 

After getting control of the phone number, the unauthorized party reset the password for the SEC's X account, the spokesperson said on Monday. 

"Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account," the spokesperson said. 

The SEC spokesperson also said the agency's staff is continuing to work with the SEC's Office of Inspector General, the FBI, the Commodity Futures Trading Commission, the Department of Justice, among other law enforcement entities.