Mint Mobile suffers possible data breach — what you need to do

1. Home
2. News
3. Security

Mint Mobile suffers possible information breach — what you demand to do

(Image credit: Tom'southward Guide)

Mint Mobile, a rather successful low-cost cellular carrier in the United states of america (and in which Deadpool actor Ryan Reynolds owns a stake), is apparently telling customers that it recently suffered a data breach.

"Between June viii, 2021 and June 10, 2021, a very small-scale number of Mint Mobile subscribers' telephone numbers, including yours, were temporarily ported to another carrier without permission," reads an alleged Mint Mobile notification message sent to afflicted users, co-ordinate to a Reddit post Friday (June 9) that was unearthed past Bleeping Reckoner.

• What is Mint Mobile, and is information technology worth it?
• The all-time identity theft protection services
• Plus: OnePlus phones used to exist my go-to recommendation — not any more

The exposed information "may accept included your name, address, telephone number, email address, password, bill corporeality, international phone call detail data, telephone number, account number, and subscription features," said the bulletin.

The purported Mint Mobile message did not specify how the attacker(due south) got access to the user accounts. Unauthorized number ports at other carriers are sometimes the result of tricking or bribing client-support representatives, although one contempo serial of ports cited by Bleeping Figurer involved attackers getting into the carrier'south internal computer system and porting numbers from the inside.

In the Reddit thread following the initial postal service, a affiche claiming to be Mint Mobile co-founder and managing partner Rizwan Khan said that "only the subscribers who received this email were afflicted."

Tom's Guide has reached out to Mint Mobile for comment and confirmation, including how many users might take been affected, and nosotros volition update this story when nosotros receive a reply.

Change your Mint Mobile password now

We recall all Mint Mobile users should alter their account passwords ASAP, whether or not they received the bulletin posted on Reddit.

If any Mint Mobile users had the same password for their Mint Mobile account as for other accounts, then those users should change the passwords on those accounts as well, and use one of the best password managers to create potent, unique passwords and keep rail of them all.

That's because if Mint Mobile users' total, unencrypted passwords were indeed exposed, equally the apparent Mint Mobile message to affected customers implies, that'southward very serious and could lead to a cascading series of compromises.

The Mint Mobile bulletin already said that the attacker(s) had "ported" phone numbers to other carriers and, by implication, other handsets.

That could atomic number 82 to many more online accounts existence taken over if those accounts send a verification text to the user'due south number when a password-reset asking is fabricated.

The aggressor will get that text instead of the legitimate user and tin reset the countersign. At least three Reddit users said this happened to their Mint Mobile accounts in early on June.

"Took me 6+ stressful hours to get control of all my account and change their passwords," said one of those users. "They were also close to stealing around 30k of my crypto from my Coinbase account but luckily I had physical 2FA for of import accounts."

That same user said that Mint Mobile had provided a year of identity-theft-protection equally a result of the account compromise.

Other accounts may also be in danger

Nevertheless, if a Mint Mobile user has reused their Mint Mobile password for other accounts that are tied to the same email address, then those accounts can probably be hijacked likewise.

Once an assailant gains command of two or iii of a victim's online accounts, especially very sensitive ones such equally Gmail, Facebook or Apple ID, information technology's often easy to leverage that control to have over even more of the victim's accounts.

The one thing that can stop a chain of account takeovers dead in its tracks is to enable not-SMS-based two-gene authentication (2FA) on every site that offers it.

That'due south the ane thing Mint Mobile users on Reddit say they've been asking for, yet haven't received.

"If this [2FA] had been implemented when we asked for information technology ~2 years ago, this hack would non have happened," said one commenter on the original thread.

"Anybody on this sub has been asking for 2FA for years and nothing has been done to implement meliorate security," said another.

Tom's Guide has asked Mint Mobile whether or not the service offers 2FA. However, as some other Reddit poster pointed out, 2FA may not have helped in this instance if the attacker(south) managed to get into Mint Mobile'southward internal systems.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has besides been a dishwasher, fry melt, long-haul driver, lawmaking monkey and video editor. He's been rooting around in the information-security infinite for more than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'due south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Telly news spots and even moderated a panel give-and-take at the CEDIA home-technology briefing. You can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/mint-mobile-data-breach

Posted by: daleycoloody.blogspot.com

Share this post