Google Fi, Google’s U.S.-only telecommunications and mobile internet service, has informed customers that personal data was exposed by a data breach at one of its primary network providers, with some customers warned that it allowed SIM swapping attacks.
Google sent notices of a data breach to Google Fi customers this week, informing them that the incident exposed their phone numbers, SIM card serial numbers, account status (active or inactive), account activation date, and mobile service plan details.
Google clarified that the breached systems did not hold sensitive details such as full names, email addresses, payment card information, SSNs, tax IDs, government IDs, account passwords, or contents of SMS and phone calls.
“Our incident response team undertook an investigation and determined that unauthorized access occurred and have worked with our primary network provider to identify and implement measures to secure the data on that third party system and notify everyone potentially impacted,” reads the notice to customers.
“There was no access to Google’s systems or any systems overseen by Google.”
While Google has not mentioned who the primary network provider who got breached was, it’s believed that they are referring to T-Mobile
T-Mobile disclosed last month that it suffered an API data breach in November 2022 that exposed the personal information of approximately 37 million subscribers.
We have requested Google to confirm if this is related to the T-Mobile breach but have not received a response.
Data breach led to SIM swap attacks
Unfortunately, the exposed technical SIM data allowed threat actors to conduct SIM swap attacks on some Google Fi customers, with one customer reporting that the hackers gaining access to their Authy MFA account.
SIM swapping attacks are when threat actors convince mobile carriers to port a customer’s phone number to a mobile SIM card under the attacker’s control.
These attacks are conducted using social engineering, where the threat actor impersonates the customer and requests that the number be ported to a new device for some reason. To convince the mobile carrier that they are the customer, they provide personal information exposed to phishing attacks and data breaches.
As the Google Fi data breach includes phone numbers, which can easily be linked to a customer’s name, and the serial number of SIM cards, it would have made it even more convincing when contacting a mobile customer support representative.
Once the number is ported, the threat actors would have access to the victim’s text messages, including MFA codes, allowing them to breach online accounts or take over services secured by a person’s phone number.
Google sent a separate notice to customers impacted by SIM swap attacks, disclosing that the attackers managed to port their numbers to another SIM for a short time. However, users’ voicemail wasn’t breached.
“On January 1, 2023, for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.” – Google
One customer who suffered from the SIM swapping attacks shared his experience on Reddit, saying that he witnessed the takeover of his email, financial, and Authy authenticator app accounts in real time.
“The hacker used this to take over three of my online accounts — my primary email, a financial account, and the Authy authenticator app, all because they were able to receive my SMSes and therefore defeat SMS-based 2-fac,” explained the Google Fi customer.
Once an two-factor authenticator app is hijacked, it makes it much easier for hackers to compromise other accounts, especially if they were registered using a phone number.
Despite his efforts to stop it by informing Google Fi, he says he was ignored by customer support.