This is pretty much a lump of coal in the stockings of Mint Mobile customers. The phone carrier has disclosed a data breach of massive proportions:
Mint is a mobile virtual network operator (MVNO) offering budget, pre-paid mobile plans. T-Mobile has proposed paying $1.3 billion to purchase the company. The company began notifying customers on December 22nd via emails titled “Important information regarding your account,” stating that they suffered a security incident and a hacker obtained customer information.
“We are writing to inform you about a security incident we recently identified in which an unauthorized actor obtained some limited types of customer information,” warns the Mint Mobile data breach notification. “Our investigation indicates that certain information associated with your account was impacted.”
The customer data exposed in the breach includes:
- Name
- Telephone number
- Email address
- SIM serial number and IMEI number (a device identifier similar to a serial number)
- A brief description of service plan purchased
This can be used to launch SIM swap attacks which means that customers online accounts that rely on two factor authentication that are delivered by text message are at risk. This isn’t good and customers in that situation should take acton to secure those accounts ASAP by moving those away from text message based two factor authentication to some other form of two factor authentication such as push notification.
Happy holidays.