While we already knew the reason behind the most humiliating hack in SEC history - when one day before Gary Gensler was forced to capitulate and approved the first batch of spot Bitcoin ETF (betraying his Sith master, Pocahontas under intense pressure from Larry Fink), the regulator's X account was hacked and reported what would be news one day later - moments ago the SEC confirmed that i) an unnamed person changed the password for the agency’s account after gaining control of an agency employee’s phone number via a simple "SIM Swap" to make the false post on Jan. 9, and more importantly ii) the reason why the hack was even possible in the first place is that the multifactor authentication of its X account was disabled last July and wasn’t re-enabled until after the incident, to wit:
"While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account. Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it."
In other words, the idiots at the SEC voluntarily made it easier for any outside hackers to gain access to their account, by deliberately turning off their 2 factor authentication, which as Bloomberg's James Seyffart notes, is far worse than never having it turned on in the first place!
The full statement is below; it's amazing the SEC managed to publish it without fucking everything up.
January 22, 2024: Statement by an SEC Spokesperson to the Media:
We are providing the following update on the January 9, 2024, unauthorized access and activity (the “incident”) on the @SECGov X account:
SEC staff are continuing to coordinate with several law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice, and the SEC’s own Division of Enforcement.
Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent “SIM swap” attack. SIM swapping is a technique used to transfer a person’s phone number to another device without authorization, allowing the unauthorized party to begin receiving voice and SMS communications associated with the number. Access to the phone number occurred via the telecom carrier, not via SEC systems. SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.
Once in control of the phone number, the unauthorized party reset the password for the @SECGov account. Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.
While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account. Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it.
And these are the cartoonishly incompetent morons (and porn addicts) tasked with keeping US investors safe.