T-Mobile USA is warning some customers that they could be targeted by hackers looking to hijack their SIM cards.
According to reports, the company has contacted “a few hundred” customers in last two weeks, in the wake of a website flaw that was initially reported by Vice’s Motherboard. The bug, which was patched October 10, allowed hackers to access customers' email addresses, account numbers and phone IMSIs. Armed with this information, bad actors could impersonate the user to gain access to an account and duplicate the SIM card, gaining control over the phone number. In turn, with access to the phone, they could intercept SMS codes for two-factor authentication and gain access to bank accounts and the like.
One of the affected T-Mobile customers, Lorenzo Franceschi-Bicchierai, wrote that he got a call from customer service to warn him "of a detected alert" about his personal information.
The bug was reported in early October by Karan Saini, founder of startup Secure7. But it had been exploited since at least August 6, when a black-hat uploaded an exploitation tutorial on YouTube.
Initially, T-Mobile said that there was no indication that customer accounts were affected in any broad way—though clearly that is not the case. However, the carrier now has said the number of affected users is quite low, representing a tiny fraction of its 70 million customers.
"We found that there were a few hundred customers targeted," a spokesperson told Franceschi-Bicchierai “We take our customers' privacy very seriously and called all of those customers to inform them that some of their personal data appeared to have been accessed by an unknown third party. We also offered to work with them to ensure their account remains secure."