This is how an important government agency was hacked

If you do not want to lose your accounts, associated information and other private and important data, it is essential not to leave any security hole in your digital life. Losing a simple password can be a major setback if it falls into the wrong hands.

Although you try to find a good password, you always have to Go a step further to try to protect accounts as much as possible. No one is safe from danger, not even government agencies, and in fact, The US Securities and Exchange Commission (SEC) had her X account – formerly known as Twitter – stolen, although that was short-lived.

Interestingly, they made a fairly basic mistake, but one that can happen to anyone with a social media account, and a lot can be learned from it. It appears that the goal of the people who took over the account was to do just that Bitcoin related post To raise their value, which they achieved momentarily.

Verification is key

It was the Commission itself, the SEC, for its acronym in English, that uncovered this malicious act by cybercriminals, which… They took control of their official X account This is partly due to the fact that two-step verification is not activated, which is something that all cybersecurity experts highly recommend.

It appears that the event occurred when someone… The SEC has disabled two-step account verification, which was exploited in an attempt to conduct a SIM swapping attack. This finally paid off, as they were able to take control of the account for a few minutes. As the agency confirmed, at no time did they have access to their internal systems or databases, only to their social network accounts, so it will remain just a simple anecdote.

This method is implemented using social engineering, where the criminal has taken control of a phone number by deceiving the phone company, and perhaps pretending to be its owner, so that they give him control and access to incoming text messages and calls from said number. Therefore, any kind of verification message containing the login code will not reach the person who owns the number.

The cybercriminals only had to follow the process to reset the password, send them an SMS to confirm, and enter their access code. This is something that can happen to anyone. Their posting on the agency's profile sent Bitcoin rising to $48,000, but soon after it fell by 6%. If they had stolen another type of account, they may have been able to steal data or even money from the owner; In this case, the purpose was clear.

How to prevent this from happening

The first mistake committed by the American agency was Disable two-step verification. This decision was made because it was causing login problems, and they contacted the X offices to turn off this security mechanism, which they should have turned back on once they were able to log in again.

Two-step verification is a very useful mechanism in terms of security, because it means that in addition to entering the password correctly, it is necessary to take a second security measure. In this case, this was done via SMS, but experts advise against using this method, as someone could – as happened in this case – access the SIM card fraudulently. However, it is more complicated to do so if there is Another method is used.

Instead, it's better to use verification apps like Microsoft Authenticator or Google Authenticator. In this, An icon is displayed that changes every few secondsTo access this, the cybercriminal must first be able to access our Google account, which can also be complicated if it is well protected. In fact, X himself recommended doing two-step authentication through these types of apps, not through SMS.

If you continue to use SMS as a verification method, it is better to change it to another compatible alternative, like the previous methods, although it cannot be used on all platforms, as it must be compatible with the mentioned applications.

It might interest you