-
On January 1, a technologist known as regexer received an email stating that he had successfully reset his account at the cryptocurrency exchange Coinbase.
Unfortunately, and concerningly, he had not requested a password reset. Regexer, who asked to be referred to by his online alias for fear of being targeted by hackers again, quickly realised he was being hacked, and his attempts to regain control of his Coinbase were futile.
He soon discovered that he had no cell phone service. Then, his two-factor authentication app, Authy, notified him that a new device had been added to his account. After gaining control of regexer’s cell phone service, the hackers were able to reset his passwords and intercept two-factor SMS messages. According to regexer, this allowed the hackers to take control of Authy and use the 2FA codes generated by the app.
This gave them the opportunity to break into even more regexer-owned accounts.
Regexer, unsure what to do, began changing passwords on his other important accounts, which had not yet been compromised. Then, on a whim, he toggled his iPhone’s aeroplane mode on and off. His cell phone service was eventually restored.
“I have no idea what the hell is going on. “I am completely owned,” regexer told TechCrunch of the incident.
Regexer isn’t sure if turning on and off aeroplane mode is what stopped the attack, but he’s glad it did.
Regexer had no idea how he had been hacked for weeks. Then, on Monday, he received an email from his cell phone provider, Google Fi, informing him and all other customers that hackers had stolen some of their personal information, most likely as a result of the recent T-Mobile breach.
Unlike the emails sent to other customers, the email regexer received contained more detailed information about the hack he experienced weeks before. “Other data related to your Google Fi account, such as a zip code and the service/emergency address associated with your account, may also have been accessed without authorization,” read the email, which regexer shared with TechCrunch. ” Additionally, on January 1, 2023, your mobile phone service was transferred from your SIM card to another SIM card for approximately 1 hour 48 minutes. The unauthorised access could have involved the use of your phone number to send and receive phone calls and text messages during the time of this temporary transfer. Despite the SIM switch, your voicemail could not be accessed. “Google Fi service has been restored to your SIM card.”
Regexer stated that he spoke with two Google Fi customer service representatives in an attempt to learn more about what occurred, but neither of them told him anything. Regexer also found no evidence that his Google account, which is linked to his Google Fi account, had been compromised. It’s unclear how the hackers performed the SIM swap. Google has yet to respond to a comment request. And it’s unclear whether or not other people were specifically targeted by hackers in the same way that regexer was.
During the attack, regexer discovered that the hackers had also taken over his Outlook email account and, in an effort to conceal their actions, deleted the emails informing of the password reset. Even though nothing else has happened since January 1, regexer is still concerned and has asked Google for more information.
“So, unless Google sheds more light on the attack, it’s unclear how vulnerable people’s phone numbers are now.” “The main thing I’d like to know is whether I and others are still vulnerable, and if there’s anything we can do to protect ourselves. I’d like to know more about the mechanisms used for the phone number takeover because it will shed light on the level of ongoing vulnerability and defence methods, as well as whether SMS two-factor is still preferable to no two-factor at all. (I can use SMS to replace some online accounts, but not all. Many banks and other institutions only allow two-factor authentication via SMS.) I’d also like to know how many people had their phone numbers stolen as a result of the breach, and if it was a small subset, was there any reason why we were singled out?”