|
Getting your Trinity Audio player ready... |
According to Mint Mobile, there was a recent data breach that resulted in the exposure of customers’ personal information, including information that could be utilized for SIM-swapping attacks.
T-Mobile owns Mint, a mobile virtual network operator (MVNO) that provides affordable pre-paid mobile plans.
Customers received emails from the company on December 22nd with the subject line “Important information regarding your account,” informing them that there had been a security breach and that customer data had been compromised.
The notice of the Mint Mobile data breach states, “We are writing to inform you about a security incident we recently identified in which an unauthorized actor obtained some limited types of customer information.”
“Our investigation indicates that certain information associated with your account was impacted.”
The business declared that the breach had been fixed and that they were securing their systems by collaborating with outside cybersecurity specialists.
The following client information was compromised:
- Name Phone number
- The email address
- The IMEI (a device identifier that resembles a serial number) and SIM serial numbers
- An overview of the service plan that was purchased
According to Mint, they were not exposed because they do not keep credit card numbers on file. Additionally, the business claimed that passwords are secure because they are encrypted using “strong cryptography technology.”
From this statement, the company did not clarify if the attacker had access to hashed passwords.
The information that has been made public is alarming because it could be used by a threat actor to carry out SIM swapping attacks, in which they port a victim’s number to their device.
After they have the phone number, they can attempt to get into the user’s online accounts by resetting their passwords and obtaining one of the OTP codes, which will allow them to bypass multi-factor authentication.
This method is frequently employed by threat actors to compromise user accounts at cryptocurrency exchanges and take control of all the assets kept in the virtual wallet.
Customers can contact customer service at 949-704-1162 with any questions, according to Mint, and they are not required to take any action.
It has been confirmed by a moderator on Mint Reddit that this number was created especially to address inquiries regarding the data breach.
“On December 22, 2023, you might have received an email from [email protected]. This is not a scam; it is a notice from Mint. A Mint moderator on Reddit clarified, “The Customer Care number was set up to handle specific questions about this communication.”
A threat actor reportedly tried to sell data on a hacking forum that was purportedly taken from Mint Mobile and Ultra Mobile, according to a July 2023 report from FalconFeeds threat intelligence service. Mint has not yet provided information on how they were breached.
It is unclear if the incident is connected to the disclosed breach, as the threat actor claimed that although the data is a few months old, it contained the last four digits of the customers’ credit cards.
In 2021, Mint Mobile experienced a data breach wherein an unauthorized individual gained access to the account details of subscribers and transferred their phone numbers to an alternative carrier.
More recently, in January 2023, T-Mobile, the parent company of Mint, experienced a significant data breach that resulted in the exposure of 37 million account details. They experienced another hack in May 2023, but it was far smaller and only exposed the information of 836 customers.
