Mint Cellular has disclosed a brand new knowledge breach that uncovered the private info of its prospects, together with knowledge that can be utilized to carry out SIM swap assaults.
Mint is a cell digital community operator (MVNO) owned by T-Cellular, providing funds, pre-paid cell plans.
The corporate started notifying prospects on December twenty second by way of emails titled “Essential info concerning your account,” stating that they suffered a safety incident and a hacker obtained buyer info.
“We’re writing to tell you a few safety incident we just lately recognized through which an unauthorized actor obtained some restricted kinds of buyer info,” warns the Mint Cellular knowledge breach notification.
“Our investigation signifies that sure info related along with your account was impacted.”
The corporate stated they resolved the breach and are working with third-party cybersecurity consultants to safe their techniques.
The shopper knowledge uncovered within the breach contains:
- Title
- Phone quantity
- E mail handle
- SIM serial quantity and IMEI quantity (a tool identifier just like a serial quantity)
- A short description of service plan bought
Mint says they don’t retailer bank card numbers, in order that they weren’t uncovered. The corporate additionally stated they defend passwords with “robust cryptographic expertise,” so they aren’t compromised.
The corporate didn’t make it clear from this assertion if hashed passwords have been accessed by the attacker.
The uncovered knowledge is regarding, as it’s sufficient info for a risk actor to conduct SIM swapping assaults, which is when an attacker ports an individual’s quantity to their very own system.
As soon as they acquire entry to the quantity, they will attempt to entry the person’s on-line accounts by performing password resets and receiving the OTP codes to get previous multi-factor authentication.
Menace actors generally use this system to breach accounts at cryptocurrency exchanges, stealing all belongings saved within the on-line pockets.
Nevertheless, Mint says that prospects don’t must take any motion and may name buyer assist at 949- 704-1162 with any questions.
A Mint Reddit moderator has confirmed that this quantity was arrange particularly to deal with questions concerning the knowledge breach.
“For those who obtained a discover by way of e-mail from no-reply@account.mintmobile.com on December 22, 2023, it’s from Mint and isn’t a rip-off. The Buyer Care quantity was setup to deal with particular questions on this communication,” defined a Mint moderator on Reddit.
Whereas Mint has not disclosed particulars on how they have been breached, the FalconFeeds risk intel service reported in July 2023 {that a} risk actor tried to promote knowledge on a hacking discussion board that was allegedly stolen from Mint Cellular and Extremely Cellular.
The risk actor stated the information is a couple of months previous however contained the final 4 digits of consumers’ bank cards, so it’s unclear if the incident is expounded to the disclosed breach.
Mint Cellular beforehand suffered a knowledge breach in 2021 when an unauthorized particular person accessed subscribers’ account info and ported telephone numbers to a different provider.
Extra just lately, Mint’s mum or dad firm, T-Cellular, suffered a large knowledge breach in January 2023 that uncovered the information of 37 million accounts. In Might 2023, they suffered a further breach, however this was a lot smaller, solely exposing the information of 836 prospects.
BleepingComputer has contacted Mint with questions concerning the assault and whether or not hashed passwords have been uncovered however has not obtained a reply.