Google has notified customers of its Fi mobile virtual network operator (MVNO) service that hackers were able to access some of their information, according to TechCrunch. The tech giant said the bad actors infiltrated a third-party system used for customer support at Fi’s primary network provider. While Google didn’t name the provider outright, Fi relies on US Cellular and T-Mobile for connectivity. If you’ll recall, the latter admitted in mid-January that hackers had been taking data from its systems since November last year.
T-Mobile said the attackers got away with the information of around 37 million postpaid and prepaid customers before it discovered and contained the issue. Back then, the carrier insisted that no passwords, payment information and social security numbers were stolen. Google Fi is saying the same thing, adding that no PINs or text message/call contents were taken, as well. The hackers only apparently had access to users’ phone numbers, account status, SMS card serial numbers and some service plan information, like international roaming.
Google reportedly told most users that they didn’t have to do anything and that it’s still working with Fi’s network provider to “identify and implement measures to secure the data on that third-party system and notify everyone potentially impacted.” That said, at least one customer claimed having more serious issues than most because of the breach. They shared a part of Google’s supposed email to them on Reddit, telling them that that their “mobile phone service was transferred from [their] SIM card to another SIM card” for almost two hours on January 1st.
The customer said they received password reset notifications from Outlook, their crypto wallet account and two-factor authenticator Authy that day. They sent logs to 9to5Google to prove that the attackers had used their number to receive text messages that allowed them to access those accounts. Based on their Fi text history, the bad actors started resetting passwords and requesting two-factor authentication codes via SMS within one minute of transferring their SIM card. The customer was reportedly only able regain control of their accounts after turning network access on their iPhone off and back on, though it’s unclear if that’s what solved the issue. We’ve reached out to Google for a statement regarding the customers’ SIM swapping claim and will update this post when we hear back.