Mint Mobile has disclosed a new data breach that exposed the personal information of its customers, including data that can be used to perform SIM swap attacks.
Mint is a mobile virtual network operator (MVNO) owned by T-Mobile, offering budget, pre-paid mobile plans.
The company began notifying customers on December 22nd via emails titled “Important information regarding your account,” stating that they suffered a security incident and a hacker obtained customer information.
“We are writing to inform you about a security incident we recently identified in which an unauthorized actor obtained some limited types of customer information,” warns the Mint Mobile data breach notification.
“Our investigation indicates that certain information associated with your account was impacted.”
The company said they resolved the breach and are working with third-party cybersecurity experts to secure their systems.
The customer data exposed in the breach includes:
- Telephone number
- Email address
- SIM serial number and IMEI number (a device identifier similar to a serial number)
- A brief description of service plan purchased
Mint says they do not store credit card numbers, so they were not exposed. The company also said they protect passwords with “strong cryptographic technology,” so they are not compromised.
The company did not make it clear from this statement if hashed passwords were accessed by the attacker.
The exposed data is concerning, as it is enough information for a threat actor to conduct SIM swapping attacks, which is when an attacker ports a person’s number to their own device.
Once they gain access to the number, they can try to access the user’s online accounts by performing password resets and receiving the OTP codes to get past multi-factor authentication.
Threat actors commonly use this technique to breach accounts at cryptocurrency exchanges, stealing all assets stored in the online wallet.
However, Mint says that customers do not need to take any action and can call customer support at 949- 704-1162 with any questions.
A Mint Reddit moderator has confirmed that this number was set up specifically to handle questions about the data breach.
“If you received a notice via email from [email protected] on December 22, 2023, it is from Mint and is not a scam. The Customer Care number was setup to handle specific questions about this communication,” explained a Mint moderator on Reddit.
While Mint has not disclosed details on how they were breached, the FalconFeeds threat intel service reported in July 2023 that a threat actor attempted to sell data on a hacking forum that was allegedly stolen from Mint Mobile and Ultra Mobile.
The threat actor said the data is a few months old but contained the last four digits of customers’ credit cards, so it is unclear if the incident is related to the disclosed breach.
Mint Mobile previously suffered a data breach in 2021 when an unauthorized person accessed subscribers’ account information and ported phone numbers to another carrier.
More recently, Mint’s parent company, T-Mobile, suffered a massive data breach in January 2023 that exposed the data of 37 million accounts. In May 2023, they suffered an additional breach, but this was much smaller, only exposing the data of 836 customers.
BleepingComputer has contacted Mint with questions about the attack and whether hashed passwords were exposed but has not received a reply.