PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

SEC Confirms SIM Swap, Lack of 2FA Helped Hacker Hijack Twitter Account

The regulator is still investigating how the hacker uncovered the phone number that was tied to the @SECGov Twitter account.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Photo by Jonathan Raa/NurPhoto via Getty Images)

The Securities and Exchange Commission has confirmed that a SIM swap led a hacker to take over the @SECGov Twitter account earlier this month. 

In a Monday statement, the SEC said the “unauthorized party” gained access to the account by first targeting the financial regulator's telecommunications carrier. Somehow, the hacker learned the cell number connected to @SECGov. The attacker then tricked the carrier into transferring the cell number to their own device, allowing them to complete a password reset for account on Twitter, now X.

"Access to the phone number occurred via the telecom carrier, not via SEC systems," the statement added. "SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts."

Still, the financial regulator confirmed that the @SECGov account had not activated two-factor authentication, a widely recommended security safeguard that can prevent account hijackings. 

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

"While multi-factor authentication [MFA] had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account,” the SEC said. “Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it.”

The SEC issued the update weeks after Twitter itself blamed the embarrassing incident on a SIM swap. By hijacking the account, the hacker was able to exploit the @SECGov profile to prematurely tweet that the financial regulator had cleared Bitcoin ETFs for national securities exchanges. The phony tweet briefly roiled markets, sending the value of Bitcoin soaring before it plummeted after the SEC warned the public that its Twitter account had been compromised. 

Although the SEC has been investigating the incident, the regulator is still trying to uncover who was behind the hijacking, along with other details like "how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account,” the SEC said. 

The investigation occurs as some lawmakers have blasted the SEC for neglecting to follow its own rules and guidance on cybersecurity. “This failure is unacceptable, and it is disturbing that your agency could not even meet the standard you require of private industry,” Republican lawmakers told the SEC in a letter earlier this month.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio