At least one person found out that their phone number was moved to another device and their accounts were hacked in real-time after the data breach was disclosed last night.
There was a limited amount of customer data accessed by a third-party, but no personal data such as names, birthdates, or phone numbers, according to the disclosure.
The email varied for at least one customer.
The email that the customer shared said that their phone service was going to be transferred to another card for just under two hours. The email read something along the lines of:
Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.
9to5Google was in contact with the Fi customer who explained the situation they encountered and offered evidence to back it up.
On January 1, the customer received unauthorized access and password reset notifications from their online accounts via email. All of them were seeing accounts that had been accessed by a third party and, in the case of Outlook and the crypto account, passwords were successfully reset. The attacker gained access to the customer’s phone service by using the number to get codes for their accounts, according to the logs from those services viewed by 9to5Google.
Text history on the account level shows that within one minute of the attacker gaining access to those accounts, they sent messages from two-factor services.
The customer was only made aware of this when their phone number was moved to the attacker’s, as the email notifications weren’t coming through to their phones. During the 45 minutes that the attacker had access to that phone number, a number of messages were exchanged between the attacker and the affected customer, as well as new codes being sent by the affected customer to gain access back to their accounts.
The customer was able to regain access to their accounts and phone number when they turned network access on and back on. It is not clear if this is what ended the attacker’s access or if it was a simple coincidence.
In the email that was verified by a security researcher who used to work for Google, the company recommended that the customer turn off two-factor authentication codes and offer two years of credit monitoring and identify theft protection, something that wasn’t in the email that was sent to other.
Here is our advice for staying safe online. These include taking our Security Checkup, using secure networks when browsing the web, and selecting privacy settings, including non-SMS-based 2-Step Verification, that can help protect the security of your data.
So what occurred?
The customer told us that the Fi support representatives were unable to provide any details and dismissed the case to some extent.
The attacker was able to move service from one sim to another remotely. The customer was using a physical card and not an eSIM. An email mentioning a data breach that affected other customers adds more layers to the situation. It is likely that the data breach that started with 37 million T-Mobile customers had something to do with this incident.
There are some big questions in this situation. Were other people affected? Is it possible that these customers were affected for the same time? Is this a targeted attack? Was T-Mobile also affected in the same way?
The company has not responded to our request for more information on this aspect of the data hack.
You can reach out via email if you received a similar message.
More on Google Fi:
The FTC uses income earning auto affiliate links. There was more.
There’s more news on 9to5Google.