Mint Mobile, a fairly successful (and Deadpool actor Ryan Reynolds-funded) budget mobile carrier in the United States, appears to be telling its customers that it recently suffered a data breach.
"Between June 8, 2021 and June 10, 2021, the phone numbers of a very small number of Mint Mobile subscribers, including yours truly, were temporarily ported to another carrier without permission," a Reddit post on Friday (June 9) discovered by Bleeping Computer The text purported to be a Mint Mobile notification message sent to affected users, according to the post.
The exposed information "may include your name, address, phone number, email address, password, billing amount, international calling details, phone number, account number, and subscription features," the message stated.
The purported Mint Mobile message does not specify how the attackers gained access to the user accounts; in a series of recent port incidents cited by Bleeping Computer, attackers hacked into the carrier's internal computer systems and used the information to port numbers from inside the carrier, porting numbers from within.
In a Reddit thread following the first post, a poster claiming to be Rizwan Khan, co-founder and managing partner of Mint Mobile, stated that "only subscribers who received this email were affected."
Tom's Guide has asked Mint Mobile for comment and confirmation, including how many users may have been affected, and will update this article when we receive a reply.
All Mint Mobile users, whether or not they received the message posted on Reddit, should change their account passwords ASAP.
If the password for your Mint Mobile account is the same as your other accounts, you should change the passwords for those accounts as well.
This is because if the full, unencrypted passwords of Mint Mobile users were indeed compromised, as Mint Mobile's messages to affected customers clearly suggest, it would be very serious and could lead to a chain of breaches.
The Mint Mobile message already states that the attackers "ported" the phone numbers to other carriers and, implicitly, to other devices.
More online accounts could be hijacked if those accounts send a confirmation text to the user's number when a password reset request is made.
An attacker could receive that text on behalf of the legitimate user and reset the password. At least three Reddit users have stated that this happened to their Mint Mobile accounts in early June.
"It took me over 6 hours to manage all my accounts and change my passwords." They were also on the verge of stealing about 30k of my crypto from my Coinbase account, but luckily I had a physical 2FA for my critical accounts."
That same user said.
That same user stated that as a result of the account compromise, Mint Mobile offered identity theft protection for a year.
However, if the Mint Mobile user had reused the Mint Mobile password on other accounts tied to the same email address, those accounts could probably be hijacked as well.
Once an attacker gains control over two or three of the victim's online accounts, especially highly sensitive accounts such as Gmail, Facebook, and Apple IDs, it is often easy to use that control to further hijack the victim's accounts
This is especially true for Gmail and Facebook IDs.
The chain of account hijacking can be stopped by enabling two-factor authentication (2FA) on all sites that offer it other than SMS.
This is something Reddit's Mint Mobile users have requested but not yet received.
"If this (2FA) had been implemented when we requested it two years ago, this hack would not have happened," said a commenter on the original thread.
"Everyone on this sub has been asking for 2FA for years and nothing has been done to implement better security," said another.
Tom's Guide asked Mint Mobile if the service offered 2FA. However, as another Reddit contributor noted, 2FA may not have helped in this instance if an attacker had succeeded in penetrating Mint Mobile's internal systems.
.
Comments