On January 1st, a technologist known as regexer was notified via email that he had successfully resettled his account on the crypto exchange Coinbase.
Then, he realized there was no mobile phone service. Then, the two-factor application, Authy, notified him that a new phone was registered to his account. Once the hackers gained control of regexer’s phone service, they were able to reset passwords for his accounts as well as capture the SMS message sent by two factors. This allowed hackers to gain control over Authy which gave them the power to utilize the 2FA codes that were generated through the application, as per regexer.
They had the chance to gain access to even more accounts controlled by regexer.
“Now I’m not sure what’s happening. I’m completely taken care of,” regexer told TechCrunch when he recalled the incident.
Uncertain of what to do next the regexer changed passwords on other important accounts that hadn’t been compromised until now. At some point, on impulse, he changed the airplane mode off and on for his iPhone. After that, the service on his cell phone was restored.
Regexer isn’t quite sure that turning airplane mode off and off stopped this attack. But he’s grateful that the attack occurred.
In the past few weeks, regexer was no idea why he’d been compromised. On Monday, regexer got an email sent by his mobile phone service provider, Google Fi, informing the rest of his clients that hackers took certain customers’ information most likely in connection with the recent security breach at T-Mobile.
In contrast to other customers, the email regexer received had more details about the hack that he was a victim of several weeks before.
“Other information related to other information associated with your Google Fi account also may be accessed without authorization, like the zip code and the emergency address for service or the account,” said the message the regexer provided to TechCrunch. “Additionally on January 1, 2023, for approximately 1 hour and 48 minutes, your cell phone services were transferred over from the SIM card to a different SIM card. At the time of the temporary transfer, the unauthorized access may have been based on the use of your phone number to make and receive calls as well as texts. In spite of the SIM transfer that was made, your voicemail cannot be accessible. This has now been corrected. Google Fi service to your SIM card.”
Regexer claimed he’s spoken about the incident with 2 Google Fi customer representatives trying to find out more information regarding what transpired however neither provided any information. In addition, he did not find any evidence to suggest of evidence that his Google account which is linked directly to Google Fi, Google Fi account that was compromised. It’s not clear how hackers managed to execute a SIM swap.
Google hasn’t answered the request for comments. The details aren’t yet clear whether other users were who were particularly targeted by hackers in the way that regexes was.
As the attack continued Regexer was able to discover that the hackers also took control of the user’s Outlook email account. They also — cleverly to try to conceal their actions deleted the email messages informing them about the rest of his password.
Although nothing has changed since January 1st, regexes is concerned and asking Google to provide more details.
“The most important thing I’d like to know is whether as well as others are still at risk and what we could do in order to help protect ourselves. I’d like to learn more about the methods used to carry out the takeover of phone numbers as it will reveal the degree of vulnerability, as well as strategies to defend yourself and also whether SMS two-factor is better than none at all. (I can substitute SMS for certain internet-based accounts but not for all. Some banks and other institutions only permit two-factor verification via SMS.) I’d like to find out how many were hacked on their mobile numbers due to the breach. And If it was a tiny subset did there exist any reason to believe that we were the only ones targeted?” Regexer claimed.
“So unless Google provides more information about the hack, there’s an open question as to how vulnerable phone numbers of people today are.”