American mobile virtual network operator (MVNO) Mint Mobile has confirmed suffering a data breach affecting an unknown number of its customers.
The company revealed the news in an email sent to its customers, in which it explained “We are writing to inform you about a security incident we recently identified in which an unauthorized actor obtained some limited types of customer information.”
“Our investigation indicates that certain information associated with your account was impacted.”
SIM swap attacks
Among the data stolen was the full names, telephone numbers, email addresses of users, along with SIM serial numbers and IMEI numbers, and short descriptions of the mobile plans the customer had bought.
Payment information was not stolen, the company said, adding that customer passwords are protected with “strong cryptographic technology,” hinting (but not outright saying) that some passwords might have also been taken. While we don’t know who attacked Mint, or how (if it was a social engineering attack, malware, or ransomware), the company said it “resolved the breach” and brought in third-party security experts to tighten the systems up.
Information such as people’s names, email addresses, and telephone numbers is enough to mount a few types of attacks, from identity theft to phishing, wire fraud, and more. However, BleepingComputer argues that whoever obtained the data now has enough intel to run SIM-swapping attacks – essentially redirecting people’s GSM communication to an endpoint of their choosing.
That way, they can redirect SMS messages used for one-time passwords (OTP) or multi-factor authentication (MFA) and access even the securest accounts (think bank accounts or similar).
TechRadar Pro has contacted Mint Mobile for further clarification.
The news is the second such incident to affect the company, after cybersecurity researchers from FalconFeeds previously found a hacker trying to sell a Mint database on the dark web – although it is unclear if this was a separate incident or not.