The Google Fi service is an affordable phone and data plan that piggybacks on the T-Mobile network, but its customers are now getting more than they bargained for as an unknown quantity of records have potentially been exposed. Google Fi was caught up in the T-Mobile data breach of late 2022 that saw an attacker gain access to 37 million records of customer data.
The attack was essentially an API scraping exploit, allowing the attacker access to records of basic customer contact and profile information. The Google Fi service breach is somewhat more concerning, however, as the company reports that SIM card serial numbers were included.
Google Fi service caught up in attack on T-Mobile network
The incident traces back to a T-Mobile data breach that was identified on January 5 and disclosed to the public on January 19, but had been going on since at least November 25, 2022. An attacker was able to exploit an API to scrape customer information that they should not have been able to access: name, billing address, email, phone number, date of birth, T-Mobile account number and plan features.
The Google Fi service breach included similar information, but some items that T-Mobile did not name in their own breach disclosure, such as SIM card serial numbers. This is a more concerning development as it could facilitate SIM swap attacks, something that at least a small amount of customers took to social media to complain about.
Most customers reported receiving an email from Google about the breach that advised them they did not need to do anything at this time, and that financial and more sensitive personal information was not accessed by the hacker. However, some claimed that Google notified them of attempts to hijack their accounts via a SIM swap. At least one reported that they received a message indicating that their number was successfully hijacked for two hours, but that Google apparently detected and remediated the issue on their own.
It is very difficult to say how many users of the Google Fi service are impacted, as Google has kept subscriber numbers private since the service started and will not disclose how many were impacted by this incident. The T-Mobile data breach included roughly a third of the company’s 110 million US service users.
T-Mobile data breach demonstrates company’s security woes can spill over to business partners
SIM swap attacks are the most concerning possibility, but the information taken in the Google Fi service breach also provides ample material for targeted phishing campaigns. The T-Mobile data breach, the eighth for the company in about five years, is the sort of thing that attackers will look to for related data to enhance tailored phishing attempts even further.
More generally, T-Mobile’s security track record to date indicates that it is just as important to evaluate business partners that have privileged access to data as it is to evaluate the business itself. The company’s current string of misfortune began in 2018 with the loss of two million customer records, and involved another weakness in its API. The next incident, in 2019, was similar and involved its prepaid customers. Two more similar T-Mobile data breaches were observed in 2021.
T-Mobile seemingly continues to keep skating by despite this abysmal record, possibly due to the breaches usually involving some loophole in an API and not exposing financial information or deeply sensitive information such as Social Security numbers. The notorious hacking group Lapsus$ demonstrated what can be done with such information in 2022, however, when it engaged in a string of SIM swaps using profile information it had stolen to target known cryptocurrency wallets holding very large amounts of money.
There will be some hard questions for the Google Fi service with this breach announcement, however, as the lengthy record of T-Mobile data breaches should have prompted extra layers of security from a company that is known to be focused on it. As Lior Yaari, CEO and co-founder at Grip Security, notes: “The data stolen in this breach is going to fuel numerous attacks in the future. However, the victims can take a little solace that their payment information or PINs were not stolen. The hackers can potentially still do a lot of damage by having access to the users’ phone numbers and SIM serial card numbers, including taking over your phone number. At minimum, affected customers should consider changing out their SIM card to protect themselves. Once the hackers take over your phone number, they can use it for illicit purposes or even bypass two factor authentication that uses SMS. Given the serious nature and impact of the breach, it’s surprising that Google has not disclosed the number of customers impacted, like what we have seen in other major breaches.”
SMS swap attacks are usually highly targeted, given that the attacker often has to engage in social engineering at some point to pull the scheme off. One customer’s Reddit report on their notification of a SIM swap from Google indicated that they had a crypto wallet and Authy account that the attackers were attempting to get into. It remains unclear if the attackers leveraged additional information gleaned from the T-Mobile data breach in pulling off the SIM swap, as Google provided the customer with little more information about what was happening than the general population is getting. The one tidbit that did come out is that Google Fi service customers who experience a SIM swap may be offered two years of free credit monitoring and identity theft protection as compensation.
While most Google Fi service customers are much more likely to see phishing attempts using the stolen information rather than SIM swaps, Erich Kron (security awareness advocate at KnowBe4) warns that relying on MFA as a barrier against having a phone number stolen is not likely to be sufficient: “Cellular networks are very concerning when it comes to a breach as many people protect financials using Multi Factor Authentication (MFA) through SMS messages. If bad actors are able to SIM swap or receive these messages in place of the user, it can render the protection otherwise provided by MFA, useless. No matter whom you are contracting services from, it’s important to understand the risks which you then accept as part of that partnership. Security measures should be reviewed on a regular basis and consideration, up to and including termination of contracts, must be made when a subcontractor fails to protect your data.”