Updated with comment from Verizon.
Bad people have stolen, or "ported out," the cellphone numbers of about 6,000 customers of TracFone, Straight Talk, Total Wireless and possibly other prepaid cellular carriers in the past couple of months, according to reports today (Jan. 26) in The Wall Street Journal and The Verge.
The above brands, plus Net10 Wireless, Simple Mobile and Walmart Family Mobile, all operate under the umbrella of TracFone Wireless, itself a newly acquired Verizon subsidiary as of November 2021. It's not yet clear whether customers of the latter three brands were also affected.
"We were recently made aware of bad actors gaining access to a limited number of customer accounts and, in some cases, fraudulently transferring, or porting out, mobile telephone numbers to other carriers," said an undated security alert posted on the TracFone Wireless website.
"These bad actors may have had access to your name, address, PIN code, account number, secret question (but not answer) and email address to the extent you provided us with such information."
TracFone's message, however, only hints at the fact that losing a cellphone number to thieves can lead to a nightmarish spiral of account thefts and monetary loss.
Tom's Guide has reached out to Verizon for comment, and we will update this story when we receive a reply.
What you need to do if you're a TracFone customer
If you have an account with any of the six brands mentioned above, this is a potentially bad situation. You should immediately change your carrier-account PIN and, if possible, the account's secret question and answer. Links to do so via a web browser are embedded in the TracFone security alert page.
TracFone's security alert said it had tried to contact all affected customers, "but given the nature of this activity, messages to impacted mobile telephone numbers may no longer be accessible by some customers."
In other words, some customers might not even be told their accounts have been stolen because they won't be able to sent or receive text messages or phone calls.
"If you experience a sudden loss of service, or are having difficulty with a number transfer," TracFone said, "please contact customer service at 1-800-353-1842."
What you need to do if you know or suspect your TracFone number has been stolen
Unfortunately, for those customers whose numbers have indeed been stolen, the situation may get a lot worse. That's because cellphone numbers are unfortunately now used as a means of verifying your identity.
If you've been directly contacted about this issue by Net10 Wireless, Simple Mobile, Straight Talk, Total Wireless, TracFone or Walmart Family Mobile — or your service on one of those carriers suddenly no longer works — then you need to change the passwords on any online accounts you have that may use your cellphone number as a way to verify your identity.
This is because many online services, including some banks, social networks, cryptocurrency exchanges and email providers, will confirm account-password changes only after the legitimate user supplies a temporary code that has been texted to them.
Many implementations of two-factor authentication use similar texted codes to confirm the identity of a person logging into an account from a new device or location.
All such account-verification processes are jeopardized by port-out scams. If crooks have the phone numbers, then they can change the passwords on many of the number holders' online accounts.
Of course, if the crooks have already changed the password on an account, then you won't be able to change it yourself. You'll have to contact the online service via telephone or email and explain what happened. Be prepared to jump through hoops to verify your identity.
Cellphone numbers are meant to be temporary and transferable, and wireless carriers treat them as such. But online services often regard cellphone numbers as fixed points of personal identity when they shouldn't be seen that way at all. That's not the carriers' fault, but it is the reality.
How this happened is a mystery
TracFone's posting didn't mention how the crooks were able to take over 6,000 accounts, and that number actually comes from what a Verizon spokeswoman told the Journal.
Number port-out scams are often carried out by calling customer-service representatives at wireless carriers and convincing or tricking them into transferring phone numbers to other devices. In some instances, carrier personnel have been bribed to transfer numbers, especially when the number belongs to a person who has a lot of money in the bank or in online cryptocurrency accounts.
We don't know whether either of those scenarios happened in this case, and the Verizon spokeswoman told the Journal that "we have no reason to think that this was caused by anybody on the inside."
But, TracFone may not have been as diligent as it could have been when it received a number-transfer request.
Many of the stolen TracFone numbers appear to have been transferred to Metro, a rival low-cost prepaid cellular service operated by T-Mobile. It's not clear if there were any "SIM swap" incidents, in which a cellular number is transferred to a new SIM card on the same carrier.
A spokeswoman for that company told The Verge that "there is no fraud or data breach of any sort on the T-Mobile side of these port-outs."
If there's a silver lining in this potentially horrible situation, it's that the incidents have forced Verizon to quickly beef up the security of TracFone's number-transfer procedure.
"Since uncovering this fraudulent activity, we have made enhancements to improve the security of your mobile account," says the TracFone security notice.
"For example, when a request to transfer a number is made, we will send a text-message notification to your device to alert you to the request. This message will include the number you should call if you did not authorize the transfer."
"Additionally, we will also send you a text message containing a unique code (a 'Number Transfer PIN' or 'Port PIN') that must be provided to the new carrier before a transfer can be completed," the message added.
"This code should only be provided to your new carrier when you are making your transfer request. We will never call you and ask you for this code."
That's commendable, but other cellular carriers, such as AT&T, T-Mobile and Verizon itself, have had such safeguards against port-out scams in place for years. The real question is why TracFone apparently didn't.
Update: Response from Verizon
A Verizon spokesperson responded to our query with the following comment:
"Unwanted or forced number transfer (also known as port-out fraud) is an issue that affects the entire wireless communications industry. That's why we work with others in the industry, our trade association and law enforcement to address these problems as they arise. Stopping these fraudulent activities is as important to TracFone Wireless, Inc. as it is to our customers.
"We recently became aware of bad actors fraudulently transferring, or porting out, some TracFone mobile telephone numbers to other carriers. Since uncovering this activity, we made security enhancements to customers’ mobile accounts and are working directly with customers who have been impacted."