BACKGROUND:
As posted on Redditt, a number of Mint Mobile subscriber’s phone numbers were ported to another carrier without authorization. Mint is stating that the ported information potentially included subscribers’ personal information, including account number, phone number, call history, names, addresses, emails, bill amount, and passwords. According to the post, the breach occurred between June 8th and 10th. Experts with Approov and Gurucul comments.
<p>Mint Mobile, a regional mobile communications firm, has announced that “a small number of users” have experienced an unauthorized transfer of their user data to another carrier. This seems to be a part of an attack aimed at gaining access over these accounts for identity purposes.</p>
<p>Both Mint Mobile and its users should be monitoring accounts to ensure that both phone connections, and other accounts using phone numbers as authorization or validation, remain free of interference. By monitoring who is accessing these accounts and where and when they are being accessed, legitimate account holders can determine if their accounts are being used for illegitimate purposes, and if their data is being used to access other personal and financial data.</p>
<p>It\’s not clear exactly how this leak occurred but the takeaway is yet another reminder that data exfiltrated from one enterprise can easily be used to access data in another enterprise through scripting attacks such as credential stuffing. In other words, all companies should be implementing independent multi-factor login approaches just in case they are attacked via data extracted from another source.</p>