Mint Mobile, a U.S. mobile virtual network operator (MVNO), has confirmed a data breach affecting an unknown number of its customers.
The company revealed the news in an email to its customers, in which it explained: "We are writing to inform you of a recently discovered security incident in which unauthorized actors gained access to certain limited types of customer information.
Our investigation has shown that certain information associated with your account has been affected.
The stolen data includes the user's full name, ** number, email address, as well as SIM card serial number and IMEI number, as well as a short description of the mobile plan purchased by the customer.
The company said the payment information was not stolen, adding that customer passwords were protected by "strong encryption," suggesting (but not directly saying) that some passwords could also be stolen. While we don't know who attacked Mint, or how it did it (if it was social engineering, malware, or ransomware), the company says it "addressed the vulnerability" and brought in third-party security experts to harden the system.
Information such as people's names, email addresses, and ** numbers is enough to launch several types of attacks, from identity theft to phishing, wire fraud, and more. However, BleepingComputer believes that whoever obtains the data now has enough intelligence to run a SIM swap attack – essentially redirecting people's GSM communications to the endpoint of their choice.
This way, they can redirect SMS messages for one-time passwords (OTPs) or multi-factor authentication (MFA) and access even the most secure accounts, such as bank accounts or similar.
TechRadar Pro has reached out to Mint Mobile for further clarification.
The news is the second such incident affecting the company after cybersecurity researchers at Falconfeeds previously spotted a hacker trying to mint databases on the dark web – although it's unclear if this was a separate incident.