On January 1, a technologist nicknamed regexer received an email informing him that he had successfully reset his account on the Coinbase crypto exchange.
Unfortunately – and worryingly – he hadn’t actually requested a password reset. Regexer, who asked to be referred to by his nickname online for fear of being targeted by hackers again, quickly realized he was being hacked and his attempts to log in to his Coinbase to regain control failed. .
Soon after, he noticed he had no cell phone service. Then his two-factor app, Authy, informed him that a new device had been added to his account. After the hackers took control of the regexer’s mobile phone service, the hackers were able to reset passwords to its accounts and intercept two-factor SMS messages. This allowed hackers to take control of Authy, giving them the ability to use 2FA codes created by the app, according to regexer.
This gave them a chance to break into even more regexer-owned accounts.
“Now I don’t know what’s going on. I totally own it,” regexer told TechCrunch, recalling the incident.
Not knowing what to do, regexer started changing the passwords of his other important accounts which apparently hadn’t been compromised yet. Then, on a whim, he toggled airplane mode on and off on his iPhone. Somehow after that his cell phone service was restored.
Regexer isn’t sure if turning airplane mode on and off stopped the attack, but he’s glad it did.
For weeks, regexer had no idea how it was hacked. Then, on Monday, he received an email from his mobile provider, Google Fi, informing him and all other customers that hackers had stolen some customers’ information, possibly in connection with the recent breach. at T-Mobile.
Unlike other clients, the email received by regexer contained more detailed information about the hack he had suffered weeks before.
“Other data related to your Google Fi account may also have been accessed without permission, such as a postal code and the service/emergency address associated with your account,” the email reads. , which regexer shared with TechCrunch. “In addition, on January 1, 2023 for approximately 1 hour 48 minutes, your mobile telephone service was transferred from your SIM card to another SIM card. During the term of this temporary transfer, the unauthorized access may have involved using your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not be accessed. We have restored Google Fi service to your SIM card.
Regexer said he spoke to two Google Fi customer representatives trying to figure out more details about what happened, but neither of them told him. And, interestingly, the regexer saw no evidence that their Google account, which is linked to the Google Fi account, was compromised. It is unclear how the hackers were able to carry out the SIM card swap.
Google did not respond to a request for comment. And it’s not yet known if there were other people, or how many, specifically targeted by hackers like regexer was.
While the attack was in progress, regexer discovered that the hackers had also taken over his Outlook email account and, cleverly, in an effort to hide their actions, deleted the emails notifying of the password reset outmoded.
Even though nothing else has happened since January 1, regexer is still concerned and is asking Google to release more information.
“The main thing I would like to know is if I and others are still vulnerable, and if there is anything we can do to protect ourselves. I would like to know more details about the mechanisms that have been used for phone number takeover as this will shed some light on the current level of vulnerability and defense methods as well as whether two-factor texting is still better than no two-factor at all (I can replace texting (for some online accounts, but not all. Many banks and others only allow two-factor texting.) I’d also like to know how many people had their phone number hacked in connection with the breach, and, if it was a small subset, was there a reason we were being targeted in particular,” regexer said.
“So unless Google sheds more light on the attack, there’s a big open question about the current vulnerability of people’s phone numbers.”
Are you a Google Fi subscriber who also fell victim to a similar attack? Did you also receive a personalized notification from the company regarding the hack against you? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch through SecureDrop.