Mint Cellular has disclosed a brand new data breach that uncovered the private info of its clients, together with knowledge that can be utilized to carry out SIM swap assaults.
Mint is a cellular digital community operator (MVNO) owned by T-Cellular, providing price range, pre-paid cellular plans.
The corporate started notifying clients on December twenty second through emails titled “Vital info relating to your account,” stating that they suffered a security incident and a hacker obtained buyer info.
“We’re writing to tell you a couple of security incident we just lately recognized by which an unauthorized actor obtained some restricted forms of buyer info,” warns the Mint Cellular data breach notification.
“Our investigation signifies that sure info related along with your account was impacted.”
The corporate mentioned they resolved the breach and are working with third-party cybersecurity consultants to safe their techniques.
The client knowledge uncovered within the breach contains:
- Title
- Phone quantity
- E-mail handle
- SIM serial quantity and IMEI quantity (a tool identifier just like a serial quantity)
- A quick description of service plan bought
Mint says they don’t retailer bank card numbers, so that they weren’t uncovered. The corporate additionally mentioned they shield passwords with “robust cryptographic expertise,” so they don’t seem to be compromised.
The corporate didn’t make it clear from this assertion if hashed passwords had been accessed by the attacker.
The uncovered knowledge is regarding, as it’s sufficient info for a menace actor to conduct SIM swapping assaults, which is when an attacker ports an individual’s quantity to their very own machine.
As soon as they achieve entry to the quantity, they will attempt to entry the person’s on-line accounts by performing password resets and receiving the OTP codes to get previous multi-factor authentication.
Menace actors generally use this system to breach accounts at cryptocurrency exchanges, stealing all property saved within the on-line pockets.
Nonetheless, Mint says that clients don’t have to take any motion and may name buyer help at 949- 704-1162 with any questions.
A Mint Reddit moderator has confirmed that this quantity was arrange particularly to deal with questions in regards to the data breach.
“In case you acquired a discover through electronic mail from no-reply@account.mintmobile.com on December 22, 2023, it’s from Mint and isn’t a rip-off. The Buyer Care quantity was setup to deal with particular questions on this communication,” defined a Mint moderator on Reddit.
Whereas Mint has not disclosed particulars on how they had been breached, the FalconFeeds menace intel service reported in July 2023 {that a} menace actor tried to promote knowledge on a hacking discussion board that was allegedly stolen from Mint Cellular and Extremely Cellular.
Supply: FalconFeeds.io
The menace actor mentioned the information is just a few months previous however contained the final 4 digits of consumers’ bank cards, so it’s unclear if the incident is expounded to the disclosed breach.
Mint Cellular beforehand suffered a data breach in 2021 when an unauthorized particular person accessed subscribers’ account info and ported cellphone numbers to a different provider.
Extra just lately, Mint’s guardian firm, T-Cellular, suffered a large data breach in January 2023 that uncovered the information of 37 million accounts. In Might 2023, they suffered a further breach, however this was a lot smaller, solely exposing the information of 836 clients.
BleepingComputer has contacted Mint with questions in regards to the assault and whether or not hashed passwords had been uncovered however has not acquired a reply.
