Minting a New Strategy:
Lessons from a Security Breach

By: Dmitry Kurbatov

If history is any guide, the 2021 Mint Mobile breach will soon be forgotten (if it hasn’t been already). This is one reason why breaches never seem to end: each attack is frozen in time, an unfortunate episode consigned to oblivion rather than used to chart the course ahead. In this case, it’s almost worse—the hack wasn’t even the most devastating or sophisticated or distinctive intrusion of its kind. Moving on to the next big bad thing is almost understandable.

But perhaps that’s also why it should be taken seriously as a learning moment. If this breach was fairly common in many aspects, then we’re likely to see more just like it. Rather than repress the memory and get past it, the best option is to use it to develop better defenses.   

First, some background: Mint Mobile is a mobile virtual network operator (MVNO) selling phone services on the T-Mobile network. The company has been praised for its disruptive approach and has won accolades as a value carrier. In late 2019, it got attention far outside its traditional base when movie star Ryan Reynolds acquired an ownership stake.

Then, in mid-July of 2021, Mint Mobile notified certain customers that unauthorized parties had gained access to their account information, and that a small number of those subscribers were being temporarily ported to another carrier. There was no public acknowledgement or announcement, just a short email to an unspecified number of customers.

The message stated that “we immediately took steps to reverse the process and restore your service; an unauthorized individual potentially gained access to some of your information, which may have included your name, address, telephone number, email address, password, bill amount, international call detail information, telephone number, account number, and subscription features.” The email, unsurprisingly, sparked a flurry of Reddit comments and unanswered questions on the identity of the hacker(s) and their intended purpose.

Behind the scenes

Let’s pull back the curtain a little. Using this attack as a backdrop, how do cybercriminals go about putting these attacks into play?

Unfortunately, there are numerous strategies and entry points that hackers can use. For example, they can leverage an online subscriber's personal account or customer management system—if credentials are compromised, the hackers potentially gain full access to operations like number porting. They can also fake number porting requests to the customer service center and SIM swap-alike types of attack. 

To be clear, we don’t yet know how many subscribers were (or will be) affected. But we can still game out some scenarios.

If very few subscribers were affected, the attack was most likely executed by compromising a subscriber's personal account or customer management system. The most effective method of compromising a personal account, even all these years into the digital era, is still a phishing attack. It may have also occurred through a social engineering operation. For example, a sophisticated hacker calls customer support, tells a tale of having lost a phone, and asks to change the SIM card, or otherwise fools the operator into restoring access to a customer management system. It’s very common, really simple, and highly effective—and how most SIM swap frauds take place.  

If a larger number of customers were affected, hackers were perhaps able to get credentials for the CRM system used by the MVNO staff to deal with subscribers. This can also happen through bribing or otherwise involving an insider.

If huge amounts of data were leaked, it indicates a hacker gained access to company systems. When hackers can gain access to full customer databases (CRM, billing, and so on), it can mean they’ve acquired an administrator’s level of access. Of course, this may also have been achieved through a sophisticated phishing attack.  

None of this is new or even surprising. Personal information is such a juicy target, and a pathway to so many avenues for monetization, that these attacks are sadly both routine and devastating. Nor is it only smaller players being invaded—global conglomerates have greater resources allocated for defense, yet they are just as likely to be compromised.  

We all know that even the most sweeping attacks can fade from memory quite fast, often because there are inevitably worse episodes to worry about. But for those with a memory, let’s take a brief look back. In the summer of 2014, the customer portal at the French branch of mobile network operator and Internet service provider Orange France was hacked for the second time in a three-month period; 1.3 million users' data was stolen from the gateway of a software platform that sent promotional messages. In July 2017, millions of Verizon customers had their records exposed. The vulnerability was at Nice Systems, which facilitated customer service calls, and the records were breached through an unprotected Amazon S3 storage server. Later in the same year, T-Mobile identified a bug that allowed hackers to access customers’ personal data, including the IMSI, a standardized unique number that identifies subscribers.


Latest Updates

Subscribe to our YouTube Channel