Mint Mobile reveals another major data breach
US mobile virtual network operator (MVNO) Mint Mobile has confirmed a data breach affecting an unknown number of its customers.
The company revealed the news in an email sent to its customers, in which it explained: “We are writing to inform you of a security incident we recently identified where an unauthorized actor obtained some limited types of customer information. “
“Our investigation indicates that some information associated with your account has been affected.”
SIM swap attacks
Among the stolen data were users' full names, phone numbers, email addresses, along with SIM serial numbers and IMEI numbers, and short descriptions of the mobile plans the customer had purchased.
Payment information was not stolen, the company said, adding that customer passwords are protected with “strong cryptographic technology,” suggesting (but not outright saying) that some passwords may also have been compromised. While we don't know who attacked Mint, or how (whether it was a social engineering attack, malware, or ransomware), the company said it had “resolved the breach” and brought in third-party security experts to tighten its systems.
Information like people's names, email addresses, and phone numbers is enough to carry out a number of types of attacks, from identity theft to phishing, phone fraud, and more. However, BleepingComputer claims that whoever obtained the data now has enough information to carry out SIM swapping attacks, essentially redirecting people's GSM communications to an endpoint of their choice.
That way, they can redirect text messages used for one-time passwords (OTP) or multi-factor authentication (MFA) and gain access to even the most secure accounts (think bank accounts or the like).
Ny Breaking has contacted Mint Mobile for further clarification.
The news is the second such incident to hit the company, after cybersecurity researchers at FalconFeeds previously found a hacker trying to sell a Mint database on the dark web – although it's unclear whether this was a separate incident or not.