Google MVNO Privacy Breach Leads to SIM Swap Takeover

Customers of Google’s mobile virtual network operator, Google Fi, received a notification last week stating their personal data had been compromised. The breach revealed phone numbers, SIM card serial numbers, account activation dates, mobile service plan details and whether accounts are active or inactive. It us unknown how many customers were affected, though Google Fi is estimated to have around half a million subscribers in total.

Google’s notification played down the limited significance of the limited breach because it was so limited.

…there has been suspicious activity relating to a third party system that contains a limited amount of Google Fi customer data.

There is no action required by you at this time.

This system is used for Google Fi customer support purposes and contains limited data…

Nevertheless, a Reddit user called Regexer posted a warning he received from Google about his account being taken over.

…for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.

Regexer stated the SIM swap led to other accounts being compromised.

The hacker used this to take over three of my online accounts — my primary email, a financial account, and the Authy authenticator app, all because they were able to receive my SMSes and therefore defeat SMS-based 2-fac.

I tried reporting this repeatedly to Google Fi, including with detailed evidence, and their customer support reps didn’t believe me and didn’t follow up. They thought this was a standard password compromise or something, even though I could clearly see from activity logs that the hacker reset my passwords rather than logging in and then changing them, and I could see in the Google Fi activity logs the SMSes I didn’t receive that they used to compromise my accounts.

It is widely speculated that this breach is connected to T-Mobile user data being compromised through a leaky API near the beginning of this year. Google Fi uses T-Mobile and US Cellular as its networks. Google have not publicly blamed T-Mobile but their notification stated that none of Google’s systems had been accessed whilst repeatedly referring to information about the breach being received from the ‘primary network provider’. The timing of the Google Fi breach also coincided with the breach that occurred at T-Mobile.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), an association of professionals working in risk management and business assurance for communications providers. RAG was founded in 2003 and Eric was appointed CEO in 2016.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press.

Related Articles

Get Our Weekly Newsletter by Email