Mint Mobile has disclosed a new data breach that exposed the personal information of its customers, including data that can be used to perform SIM swap attacks.
Mint is a mobile virtual network operator owned by T-Mobile, offering budget, pre-paid mobile plans.
The company said they resolved the breach and are working with third-party cybersecurity experts to secure their systems.
Mint says they do not store credit card numbers, so they were not exposed.
The company did not make it clear from this statement if hashed passwords were accessed by the attacker.
The exposed data is concerning, as it is enough information for a threat actor to conduct SIM swapping attacks, which is when an attacker ports a person's number to their own device.
Once they gain access to the number, they can try to access the user's online accounts by performing password resets and receiving the OTP codes to get past multi-factor authentication.
Threat actors commonly use this technique to breach accounts at cryptocurrency exchanges, stealing all assets stored in the online wallet.
Mint says that customers do not need to take any action and can call customer support at 949- 704-1162 with any questions.
A Mint Reddit moderator has confirmed that this number was set up specifically to handle questions about the data breach.
While Mint has not disclosed details on how they were breached, the FalconFeeds threat intel service reported in July 2023 that a threat actor attempted to sell data on a hacking forum that was allegedly stolen from Mint Mobile and Ultra Mobile.
The threat actor said the data is a few months old but contained the last four digits of customers' credit cards, so it is unclear if the incident is related to the disclosed breach.
Mint Mobile previously suffered a data breach in 2021 when an unauthorized person accessed subscribers' account information and ported phone numbers to another carrier.
More recently, Mint's parent company, T-Mobile, suffered a massive data breach in January 2023 that exposed the data of 37 million accounts.
In May 2023, they suffered an additional breach, but this was much smaller, only exposing the data of 836 customers.
BleepingComputer has contacted Mint with questions about the attack and whether hashed passwords were exposed but has not received a reply.
PJ&A says cyberattack exposed data of nearly 9 million patients.
Healthcare software provider data breach impacts 2.7 million.
The password attacks of 2023: Lessons learned and next steps.
Xfinity discloses data breach affecting over 35 million people.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 23 Dec 2023 01:40:24 +0000