On the eve of the approval of the Bitcoin Spot ETF, the U.S. Securities and Exchange Commission (SEC) staged an own goal. Its violent fluctuations and widespread discussion in the cryptocurrency community.
After an investigation by the X security team, it was confirmed that the SEC account had indeed been hacked, and pointed out that the SEC had not enabled two-factor authentication (2FA), which clearly showed insufficient security awareness. This incident aroused criticism from the community that the SEC strictly regulates the encryption industry and its own security protection measures are insufficient.
Office of Inspector General is investigating SEC X account hack
This security breach has attracted the attention of relevant departments of the US government. According to a post on X by Fox reporter Eleanor Terrett, the incident is currently being investigated by the Office of the Inspector General (OIG). The Office of the Inspector General is an independent agency responsible for oversight and review of government agencies. Its responsibilities include investigating abuse, fraud, or irregularities in government agencies and providing recommendations to improve the transparency and efficiency of government operations.
It is worth mentioning that Terrett pointed out the SEC’s contradictions in cybersecurity in his post:
The SEC's 2022 and 2023 oversight reports both emphasize the importance of ensuring internal systems are compliant, and last November, the inspector general requested information about the SEC's implementation or plans to implement multi-factor authentication. In addition, according to the SEC's 2023 budget report, the agency plans to hire additional professionals to strengthen its security controls and procedures and promote organizations to adopt a "zero trust" cybersecurity strategy.
Against this planning background, the SEC did not enable two-factor authentication (2FA) this year, which undoubtedly raised questions about its network security management capabilities.
SEC statement over the weekend admits to hacking
On the 12th, the SEC issued a statement in response to the incident that its X account was hacked, and also revealed the details and latest developments of the incident. However, the statement did not mention the issue that multi-factor authentication was not enabled on the account, saying only that the SEC was assessing the possible impact of this incident on institutions, investors and the market.
According to the statement, shortly after 4:00 pm ET on Tuesday, January 9, 2024, an unauthorized person gained access to the SEC’s official X account by controlling the mobile phone number associated with the account. The unauthorized person then posted two tweets, one of which falsely claimed that the SEC approved a Bitcoin spot ETF, and liked two posts from unofficial accounts.
After becoming aware of the incident, SEC's Office of Public Affairs staff issued a clarifying post via Chairman Gary Gensler's official X account at 4:26 p.m. and removed any unauthorized actions. The statement noted that unauthorized access to the SEC's official account was terminated between 4:40 and 5:30 p.m.
This incident appears to involve a SIM card hijacking attack (SIM swapping). If the SEC uses non-SMS-based multi-factor authentication, such as Google Authenticator or hardware security keys, it may prevent account hacking. This incident is particularly ironic because Gary Gensler issued an article last October reminding investors to use 2FA to protect their financial accounts and recommended the use of high-security passwords. However, the SEC failed to effectively protect its own X account from hackers, and was criticized and ridiculed by the community.
