Mint Mobile mascot looking at a phone

Mint Mobile has disclosed a new data breach that exposed the personal information of its customers, including data that can be used to perform SIM swap attacks.

Mint is a mobile virtual network operator (MVNO) offering budget, pre-paid mobile plans. T-Mobile has proposed paying $1.3 billion to purchase the company.

The company began notifying customers on December 22nd via emails titled "Important information regarding your account," stating that they suffered a security incident and a hacker obtained customer information.

"We are writing to inform you about a security incident we recently identified in which an unauthorized actor obtained some limited types of customer information," warns the Mint Mobile data breach notification.

"Our investigation indicates that certain information associated with your account was impacted."

Mint Mobile data breach notification
Mint Mobile data breach notification
Source: @CyleRickner

The company said they resolved the breach and are working with third-party cybersecurity experts to secure their systems.

The customer data exposed in the breach includes:

  • Name
  • Telephone number
  • Email address
  • SIM serial number and IMEI number (a device identifier similar to a serial number)
  • A brief description of service plan purchased

Mint says they do not store credit card numbers, so they were not exposed. The company also said they protect passwords with "strong cryptographic technology," so they are not compromised.

The company did not make it clear from this statement if hashed passwords were accessed by the attacker.

The exposed data is concerning, as it is enough information for a threat actor to conduct SIM swapping attacks, which is when an attacker ports a person's number to their own device.

Once they gain access to the number, they can try to access the user's online accounts by performing password resets and receiving the OTP codes to get past multi-factor authentication.

Threat actors commonly use this technique to breach accounts at cryptocurrency exchanges, stealing all assets stored in the online wallet.

However, Mint says that customers do not need to take any action and can call customer support at 949- 704-1162 with any questions.

A Mint Reddit moderator has confirmed that this number was set up specifically to handle questions about the data breach.

"If you received a notice via email from no-reply@account.mintmobile.com on December 22, 2023, it is from Mint and is not a scam. The Customer Care number was setup to handle specific questions about this communication," explained a Mint moderator on Reddit.

While Mint has not disclosed details on how they were breached, the FalconFeeds threat intel service reported in July 2023 that a threat actor attempted to sell data on a hacking forum that was allegedly stolen from Mint Mobile and Ultra Mobile.

Hacker selling Mint Mobile and Ultra Mobile data
Hacker selling Mint Mobile and Ultra Mobile data
Source: FalconFeeds.io

The threat actor said the data is a few months old but contained the last four digits of customers' credit cards, so it is unclear if the incident is related to the disclosed breach.

Mint Mobile previously suffered a data breach in 2021 when an unauthorized person accessed subscribers' account information and ported phone numbers to another carrier.

BleepingComputer has contacted Mint with questions about the attack and whether hashed passwords were exposed but has not received a reply.

Update 12/23/23: Made correction that Mint Mobile is not owned by T-Mobile.

Related Articles:

FCC orders telecom carriers to report PII data breaches within 30 days

Verizon insider data breach hits over 63,000 employees

Jason’s Deli says customer data exposed in credential stuffing attack

Fidelity National Financial: Hackers stole data of 1.3 million people

Halara probes breach after hacker leaks data for 950,000 people