> Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.
[1]: https://old.reddit.com/r/GoogleFi/comments/10pjtie/google_fi...
Good reminder that SMS 2fa fucking sucks and so do the institutions that insist on it, especially those that offer other forms of 2fa but treat SMS as a fallback (why why why why why).
People will lose their 2FA. It's a fact of life. Lost keys with your yubikey. Broken phone without a backup of your totp. Etc.
After that, how do you prove that someone owns their account?
Send a photocopy of your passport? No way to edit a picture, right?
Answer some security questions, which you certainly forgot the answer to. And people are likely using the same questions with the same answer on many sites.
Tell them tough luck?
The problem is there isn't a good answer for the most common failure mode. SMS 2FA isn't perfect, but it is accessible to nearly everyone and delegates ownership proof to the telephone company.
Surely from their logs they know if these calls/texts happened?
If, during that period no calls/sms's occurred, then there has been no breach - the attacker was close to their target, but walked away with nothing.
If messages/calls were made, the user really needs to know who they were to/from to make any informed decisions. And Google has those logs.
> limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
> It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
I mean, that's almost the minimum amount of data T-Mobile has to have to provide the service to Google Fi customers, and nothing else. The actual customer data is probably stored at Google, and is perfectly safe. The chances of someone being able to use the leaked data in a nefarious way seem practically nil.
>system is used for Google Fi customer support purposes and contains limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
>It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
Also, they only report the breaches they actually know about. From my understanding of T-mobile, they probably only find a breach when someone completely stumbles into it. For every one they discover I bet there’s 10 they don’t, hah
I buy my SIM cards anonymously. I never use cellular near my house and only use it for data over a VPN. So it would not affect me if all of their data was breached.
Are you sure? In the previous T-Mo breach Ting claimed the opposite.
https://help.ting.com/hc/en-us/community/posts/4405384603291...
>the kind of Ting Mobile customer data at issue in this data breach is not stored on T-Mobile servers. Ting Mobile holds its own customer database on our own servers. The kind of data T-Mobile does have access to are things that are network-specific, like your phone number, SIM card number, usage data, and IMEI.
>T-Mobile does not have access to the Ting Mobile database of names, email addresses, credit card information, etc. Your information is protected and secure from what the hackers claim to have collected.
Unless you run this yourself, I don't understand why you nor anyone thinks that adds to their data integrity? VPNs can, have, and are the subject of break-ins and have their own agenda and or government oversight.
People think that VPNs are this magical black box that makes you secure and private, because the YouTube ads told everyone so, the reality is that you are just adding an extra point of trust or potential failure. The needle has barely moved.
All while making performance, in particular latency, worse.
What's the methodology for doing this successfully?
Use virtual card from service such as privacy.com to add funds.
Never make calls or SMS with the SIM card number. Instead use VOIP such as jmp.chat or voip.ms.
T-Mobile detected the breach January 5 and shut it down “within a day”
But
It started approximately November 25th, so the attackers were there for at least a month and a half, pulling 37,000,000 records before anyone noticed.
