SEC blames sim-swapping, lack of MFA for X account hijacking

The SEC confirmed its X account was hijacked on Jan. 9 via an apparent SIM swap in which an attacker convinced the telecom carrier to transfer the phone number tied to the account, then reset the account password; the account lacked multifactor authentication. A multi-agency investigation is ongoing, and the report emphasizes SMS-based MFA's vulnerability and recent platform changes that reduced SMS MFA availability.