Google notified customers of its mobile virtual network operator (MVNO) Fi service that hackers were able to access some of their information, according to Tech Crunch. The tech giant said the bad actors had infiltrated a third-party system used for customer support at Fi’s main network provider. Although Google didn’t name the provider, Fi relies on US Cellular and T-Mobile for connectivity. If you recall, the latter admitted in mid-January that hackers had been taking data from his systems since November of last year.
T-Mobile said attackers managed to obtain the information of about 37 million postpaid and prepaid customers before discovering and containing the problem. At the time, the carrier insisted that no passwords, payment information and social security numbers had been stolen. Google Fi says the same, adding that no PINs or text/call message content were also taken. The hackers apparently only had access to users’ phone numbers, account status, SMS card serial numbers and some information about service plans, such as international roaming.
Google reportedly told most users that they had nothing to do and that it was still working with Fi’s network provider to “identify and implement measures to secure data on this third-party system and notify all the persons potentially concerned”. That said, at least one customer said they had more serious issues than most because of the breach. They shared part of Google’s purported email on Reddit, telling them that their “mobile phone service had been transferred from [their] SIM card to another SIM card” for nearly two hours on January 1.
The client said he received password reset notifications from Outlook, his crypto wallet account, and the Authy two-factor authenticator that day. They sent newspapers to 9to5Google to prove that the attackers had used their number to receive text messages allowing them to access these accounts. Based on their Fi text history, the bad actors began resetting passwords and requesting two-factor authentication codes via text message within a minute of transferring their SIM card. The client could only have regained control of his accounts after turning network access off and on again on his iPhone, although it’s unclear if that fixed the issue. We’ve reached out to Google for a statement regarding customers’ SIM swap request and will update this message when we get back to you.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.