Hackers accessed Mint subscribers’ account information and ported mobile numbers to another carrier, the company disclosed.
Mint notified the affected customers through a data breach notification, dating the compromise between June 8, 2021, and June 10, 2021.
The company, however, claimed that only a small number of Mint mobile subscribers were affected.
Founded in 2015, Mint is a mobile virtual network operator (MVNO) on T-Mobile’s network. The Costa Mesa, California-based virtual mobile operator has received several awards including the “Most Disruptive MVNO” and the “Best Cell Phone Plans and Deals.” Hollywood ‘Deadpool’ actor Ryan Reynolds is a promoter and also a Mint shareholder.
Mint data breach exposed personal and call information
Mint mobile data breach notification says the hackers potentially accessed subscribers’ personal information, including call history, names, addresses, emails, and Mint mobile password.
Mint Mobile did not publicly acknowledge the data breach but users shared screenshots of emails received from the mobile operator informing them of the incident and assuring them that the situation was under control.
“While we immediately took steps to reverse the process and restore your service, an unauthorized individual potentially gained access to some of your information, which may have included your name, address, telephone number, email address, password, bill amount, international call detail information, telephone number, account number, and subscription features.”
Mint Mobile’s managing partner Rizwan Khan reportedly said that only the customers who received the data breach notification were affected.
One user said on Reddit that the company had provided an annual identity theft protection service after the compromise. “Both Mint Mobile and its users should be monitoring accounts to ensure that both phone connections, and other accounts using phone numbers as authorization or validation, remain free of interference,” Saryu Nayyar, CEO, Gurucul. “By monitoring who is accessing these accounts and where and when they are being accessed, legitimate account holders can determine if their accounts are being used for illegitimate purposes and if their data is being used to access other personal and financial data.”
The identity of the hacker and how they gained access remains a mystery. However, potential initial entry points include a compromised user account or a customer management application, according to Bleeping Computer.
“It’s not clear exactly how this leak occurred but the takeaway is yet another reminder that data exfiltrated from one enterprise can easily be used to access data in another enterprise through scripting attacks such as credential stuffing,” said David Stewart, CEO at Approov. “In other words, all companies should be implementing independent multi-factor login approaches just in case they are attacked via data extracted from another source.”
Potential consequences of ported mobile numbers
The threat actors could use the numbers to execute phishing attacks targeting the affected users’ frequent contacts.
Additionally, they could use the ported numbers to receive two-factor authentication (2FA) codes and attempt account takeover attacks through password resets.
The only method guaranteed to prevent hackers from compromising the affected users’ accounts is non-SMS-based multi-factor authentication methods such as authentication apps or biometric authentication.
Mint Mobile users complained that they had requested 2FA features for about two years but the service provider failed to deliver.
However, given that the attackers compromised the subscriber accounts by hacking Mint’s internal systems, it is unlikely that 2FA could have prevented them.
Since some users recycle passwords across online accounts, the attackers could use the exposed Mint account passwords to compromise other accounts.
Consequently, the virtual mobile network operator advised its subscribers to change their account passwords. Additionally, subscribers should remain vigilant for suspicious activity in their accounts and check their statements to prevent identity theft and fraud, according to the operator.
The Mint data breach closely resembles the USCellular data leak that compromised subscribers’ accounts after attackers breached the company’s customer relationship management software. Company officials said that the hackers gained access after tricking employees into downloading remote access software.
Similarly, T-Mobile disclosed a data breach in January 2021 affecting 10% of its customers while an earlier data breach in March 2020 exposed customer and employee information. In November 2019, T-mobile suffered another data breach that exposed the personal information of an undisclosed number of prepaid subscribers. The company had also suffered a similar data breach that affected about 2 million customers in August 2018.
Questions on the data breach remain unanswered
“The first thing that seems odd here is that there is no mention of the receiving provider,” Dirk Schrader, Global VP of Marketing at NNT, noted. “These numbers have been ported somewhere, and the receiving side had to activate the SIM cards in order for the subscribers to be able to use their phones. Some facts are missing here.”
Schrader said that the receiving operator should provide information subscriber’s account activity, including which services were accessed to identify additional threat vectors.
“Mobile service providers have automated the process of porting numbers in and out of their networks to a great extent, which indicates that Mint Mobile’s infrastructure was infiltrated at a central point where such a process can be initiated to be processed without user authorization.”
He wonders how the attackers breached the central point despite the existing layers of security.
“A safe assumption is that stolen credentials of a Mint Mobile employee’s account or service account played a role in this attack. Mint Mobile has some questions to answer. For affected subscribers, close monitoring of all their accounts is needed.”