Some Google Fi service customers have received notifications of potential account compromise, and the incident appears to be tied to the recent T-Mobile data breach in which tens of millions of records were leaked.
It appears that attackers accessed similar customer profile information in both of these incidents, but Google has informed some of its Fi users that attackers may have obtained their SIM card numbers and used them in hijacking attempts.
Fallout from T-Mobile data breach greater than initially anticipated
This is not the first T-Mobile data breach in recent years; unfortunately it is not even the fifth, or the seventh. Sitting at eight in the past half-decade, the company is racking up a troubling reputation for cyber security. With the Google Fi service impacted, this now includes business partners that might be sharing customer data with it.
These attacks have also largely been of the same nature: API scraping, facilitated by some sort of oversight in the code that allows access to customer profile information that should be private. Some of the prior T-Mobile data breaches involved millions of records, but the incident in late 2022 is thought to be the largest yet at 37 million total files.
While it is commonly known that the Google Fi service makes use of the T-Mobile network, its customers likely were not expecting a T-Mobile security lapse to lead to the compromise of their personal information. The threat to most users will be targeted phishing attacks that make use of the stolen profile information to look like legitimate communications, but some users have already been notified by Google of hijacking attempts involving remote SIM swaps.
While the Google Fi service itself does not appear to have been breached, enough information was shared with T-Mobile to cause damage. The lone silver lining is that the attackers did not appear to gain access to payment information, or anything deeply sensitive such as Social Security numbers. However, a successful SIM swap attack could lead to follow-up compromise of any number of accounts that yield access to more sensitive information. The incident is serious enough that Google Fi service customers might consider obtaining a new SIM card if they feel they may be targeted in this way. Multi-factor authentication (MFA) may not be sufficient in protecting a target from a SIM swap.
Google Fi service customers with crypto wallets appear to be most at risk
The T-Mobile data breach that the Google Fi service was wrapped up in began in late November 2022, but was not detected and remediated until early January. Google is being tight-lipped about exactly how many customers were impacted and what was stolen, but the prior announcement from T-Mobile indicated that account profile information was taken along with account numbers and plan features.
Google has not published information about SIM swap attacks, but some Google Fi service customers took to Reddit and social media to report that they had been notified of a hijacking attempt. It is difficult to say how many Google Fi users were impacted as Google has never made customer numbers public, but the prior T-Mobile data breach is thought to have impacted just over a third of its US user base.