Mint Mobile, a rather successful low-cost cellular carrier in the United States (and in which Deadpool actor Ryan Reynolds owns a stake), is apparently telling customers that it recently suffered a data breach.
"Between June 8, 2021 and June 10, 2021, a very small number of Mint Mobile subscribers' phone numbers, including yours, were temporarily ported to another carrier without permission," reads an alleged Mint Mobile notification message sent to affected users, according to a Reddit post (opens in new tab) Friday (June 9) that was unearthed by Bleeping Computer (opens in new tab).
- What is Mint Mobile, and is it worth it?
- The best identity theft protection services
- Plus: OnePlus phones used to be my go-to recommendation — not any more
The exposed information "may have included your name, address, telephone number, email address, password, bill amount, international call detail information, telephone number, account number, and subscription features," said the message.
The purported Mint Mobile message did not specify how the attacker(s) got access to the user accounts. Unauthorized number ports at other carriers are sometimes the result of tricking or bribing customer-support representatives, although one recent series of ports cited by Bleeping Computer involved attackers getting into the carrier's internal computer system and porting numbers from the inside.
In the Reddit thread following the initial post, a poster claiming to be Mint Mobile co-founder and managing partner Rizwan Khan said (opens in new tab) that "only the subscribers who received this email were affected."
Tom's Guide has reached out to Mint Mobile for comment and confirmation, including how many users might have been affected, and we will update this story when we receive a reply.
Change your Mint Mobile password now
We think all Mint Mobile users should change their account passwords ASAP, whether or not they received the message posted on Reddit.
If any Mint Mobile users had the same password for their Mint Mobile account as for other accounts, then those users should change the passwords on those accounts as well, and use one of the best password managers to create strong, unique passwords and keep track of them all.
That's because if Mint Mobile users' full, unencrypted passwords were indeed exposed, as the apparent Mint Mobile message to affected customers implies, that's very serious and could lead to a cascading series of compromises.
The Mint Mobile message already said that the attacker(s) had "ported" phone numbers to other carriers and, by implication, other handsets.
That could lead to many more online accounts being taken over if those accounts send a verification text to the user's number when a password-reset request is made.
The attacker will get that text instead of the legitimate user and can reset the password. At least (opens in new tab) three (opens in new tab) Reddit users (opens in new tab) said this happened to their Mint Mobile accounts in early June.
"Took me 6+ stressful hours to get control of all my account and change their passwords," said one of those users (opens in new tab). "They were also close to stealing around 30k of my crypto from my Coinbase account but luckily I had physical 2FA for important accounts."
That same user said that Mint Mobile had provided a year of identity-theft-protection as a result of the account compromise.
Other accounts may also be in danger
However, if a Mint Mobile user has reused their Mint Mobile password for other accounts that are tied to the same email address, then those accounts can probably be hijacked as well.
Once an attacker gains control of two or three of a victim's online accounts, especially very sensitive ones such as Gmail, Facebook or Apple ID, it's often easy to leverage that control to take over even more of the victim's accounts.
The one thing that can stop a chain of account takeovers dead in its tracks is to enable non-SMS-based two-factor authentication (2FA) on every site that offers it.
That's the one thing Mint Mobile users on Reddit say they've been asking for, yet haven't received.
"If this [2FA] had been implemented when we asked for it ~2 years ago, this hack would not have happened," said one commenter (opens in new tab) on the original thread.
"Everyone on this sub has been asking for 2FA for years and nothing has been done to implement better security," said another (opens in new tab).
Tom's Guide has asked Mint Mobile whether or not the service offers 2FA. However, as another Reddit poster pointed out, 2FA may not have helped in this instance if the attacker(s) managed to get into Mint Mobile's internal systems.