One Google Fi customer had accounts hacked in SIM attack related to recent data breach

Ben Schoon | Jan 31 2023 - 3:30 pm PT

Last night Google Fi disclosed a data breach to customers that, for at least one person, turned out to be a far more serious situation involving their phone number being moved to another device and seeing accounts hacked in real-time.

Google Fi’s disclosure of this recent data breach told customers that a “limited amount of Google Fi customer data” was accessed by a third-party, explaining that the data included some account data, SIM card serial numbers, and account status, but no personal data such as names, birthdates, or other sensitive details were revealed.

However, that email varied for at least one customer.

Shared to Reddit, a Google Fi customer said that their email from Google included mention about their phone service being transferred to another SIM card for just under two hours. The email read:

Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.

9to5Google has since been in contact with this Fi customer who explained the situation they encountered and offered evidence to back those details up.

On January 1, the customer received unauthorized access and password reset notifications from online accounts via email including for their Outlook email address, a crypto wallet account, and Authy. All of those were seeing accounts accessed by a third-party and, in the case of Outlook and the crypto account, passwords were successfully reset. Logs from those services viewed by 9to5Google showed that the attacker had gained access to the customer’s phone service, using the number to get SMS codes for these accounts and gain access.

Google Fi text history – which shows the phone number of messages sent or received but not the contents – on the account level showed that SMS messages from two-factor services were sent within one minute of the attacker gaining access to those accounts.

Frighteningly, the customer was only aware any of this was happening because of email alerts, as the SMS messages were not coming through to their smartphone because their phone number had moved to the attacker’s SIM card. Several SMS messages were exchanged during the period of time (roughly 45 minutes) in which the attacker had access to that phone number, including the two-factor authentication codes used to gain access to accounts, as well as new codes being sent by the affected customer as they tried to gain access back to those accounts.

Ultimately, the customer was able to regain access to their accounts, and also their phone number upon turning network access on their iPhone off and back on. It’s unclear if this process is what ended the attacker’s access or if it was a simple coincidence, though.

In the email mentioned above (which was cryptographically verified by a security researcher who formerly worked for Google), Google recommended that the customer turn off two-factor authentication codes and offered two years of credit monitoring and identify theft protection to the customer, something that wasn’t in the email sent to other customers (emphasis our own).

Here is our advice for staying safe online. These include taking our Security Checkup, using secure networks when browsing the web, and selecting privacy settings, including non-SMS-based 2-Step Verification, that can help protect the security of your data.

So what happened?

Really, it’s not entirely clear, and the customer told us that Fi support representatives were unable to provide any details and dismissed the case to some extent.

A typical “SIM swapping” attack doesn’t explain how the attacker was able to move service from one SIM to another remotely. This customer was, notably, using a physical SIM card and not an eSIM. An SS7 attack seems plausible, but Google mentioning this detail in an email talking about a data breach that affected other customers adds many other layers to the situation. It certainly implies that the data breach, which started with 37 million T-Mobile customers, had something to do with this incident.

Obviously, this situation brings up some big questions. Were other customers affected? Were these customers affected for the same period of time? Was this a targeted attack? And, perhaps most importantly, was T-Mobile also affected in a similar manner?

We’ve reached out to Google for more information on this aspect of the data breach, but the company has not responded to our request.

If you are a Google Fi customer who received a similar message from Google, please reach out via email.