Mint Cellular has disclosed a brand new knowledge breach that uncovered the non-public data of its clients, together with knowledge that can be utilized to carry out SIM swap assaults.

Mint is a cell digital community operator (MVNO) owned by T-Cellular, providing finances, pre-paid cell plans.

The corporate started notifying clients on December twenty second by way of emails titled “Essential data concerning your account,” stating that they suffered a safety incident and a hacker obtained buyer data.

“We’re writing to tell you a couple of safety incident we not too long ago recognized by which an unauthorized actor obtained some restricted varieties of buyer data,” warns the Mint Cellular knowledge breach notification.

“Our investigation signifies that sure data related along with your account was impacted.”

The corporate mentioned they resolved the breach and are working with third-party cybersecurity specialists to safe their methods.

The shopper knowledge uncovered within the breach consists of:

• Identify
• Phone quantity
• E mail handle
• SIM serial quantity and IMEI quantity (a tool identifier much like a serial quantity)
• A quick description of service plan bought

Mint says they don’t retailer bank card numbers, so that they weren’t uncovered. The corporate additionally mentioned they shield passwords with “robust cryptographic know-how,” so they aren’t compromised.

The corporate didn’t make it clear from this assertion if hashed passwords had been accessed by the attacker.

The uncovered knowledge is regarding, as it’s sufficient data for a menace actor to conduct SIM swapping assaults, which is when an attacker ports an individual’s quantity to their very own machine.

As soon as they acquire entry to the quantity, they’ll attempt to entry the consumer’s on-line accounts by performing password resets and receiving the OTP codes to get previous multi-factor authentication.

Menace actors generally use this method to breach accounts at cryptocurrency exchanges, stealing all belongings saved within the on-line pockets.

Nevertheless, Mint says that clients don’t must take any motion and might name buyer help at 949- 704-1162 with any questions.

A Mint Reddit moderator has confirmed that this quantity was arrange particularly to deal with questions in regards to the knowledge breach.

“If you happen to obtained a discover by way of electronic mail from no-reply@account.mintmobile.com on December 22, 2023, it’s from Mint and isn’t a rip-off. The Buyer Care quantity was setup to deal with particular questions on this communication,” defined a Mint moderator on Reddit.

Whereas Mint has not disclosed particulars on how they had been breached, the FalconFeeds menace intel service reported in July 2023 {that a} menace actor tried to promote knowledge on a hacking discussion board that was allegedly stolen from Mint Cellular and Extremely Cellular.

The menace actor mentioned the info is a couple of months previous however contained the final 4 digits of consumers’ bank cards, so it’s unclear if the incident is said to the disclosed breach.

Mint Cellular beforehand suffered a knowledge breach in 2021 when an unauthorized individual accessed subscribers’ account data and ported telephone numbers to a different provider.

Extra not too long ago, Mint’s mother or father firm, T-Cellular, suffered an enormous knowledge breach in January 2023 that uncovered the info of 37 million accounts. In Could 2023, they suffered an extra breach, however this was a lot smaller, solely exposing the info of 836 clients.

BleepingComputer has contacted Mint with questions in regards to the assault and whether or not hashed passwords had been uncovered however has not obtained a reply.