Threat actors gained unauthorized access to an undisclosed number of Sprint customer accounts via a compromised Samsung website.  

“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com ‘add a line’ website,” the wireless provider said in a letter to impacted customers posted on Scribd.

“The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services,” Sprint said.

The company had resecured customer accounts by June 25 as well as notified those affected that there account PIN may have been compromised and instructed them to change them, according to the letter.

Those affected have also been instructed to place a fraud alert on their credit reports, review their credit reports, close accounts believed to have been tampered with, file a report if they suspect identity theft took place, and review the Federal Trade Commission (FTC) Identity Theft website.

OneSpan Senior Product Marketing Manager Sam Bakken criticized Sprint for not taking the incident seriously enough.

“Suggesting this breach does not put users at risk of fraud or identity theft strikes me as either ignorant or disingenuous,” Bakken said. “Our mobile devices are becoming a more and more significant aspects of our identity. Look at the damage SIM-swap attacks can do.”

Bakken explained attackers have the building blocks for an account-takeover scheme when they combine phone numbers, device type, and device ID. Ultimately, the Sprint incident appears to be another example of consumers’ privacy and security being violated likely through no fault of their own, he said.

The timing of the incident couldn’t have come at a worse time as it comes on the heels of a recently reached $26.5 billion merger agreement with T-Mobile a Balbix CISO Jonathan Bensen pointed out. The merger allows the country’s third and fourth-largest mobile carriers to combine creating a more formidable opponent to Verizon and AT&T.

“If the two enterprises do merge, it is critical that the pair implement security solutions that scan and monitor all T-Mobile and Sprint-owned and managed assets as well as all third-party systems to detect vulnerabilities that could be exploited,” Bensen said. “Proactively identifying and addressing vulnerabilities that would put them at risk, such as the Samsung.com threat that lead to this breach, is the only way to stay ahead of future breaches and avoid litigation, fines under data privacy laws, retain brand image, increase the organizations’ market share and beyond.”

In addition, Sprint recently announced that it lost 189,000 customers and admitted a loss of four cents per share in its fiscal fourth quarter. Bensen said he wouldn’t be surprised if T-Mobile reconsidered the merger to avoid suffering the same fate as Marriott that was fined $123 million last week under GDPR for its 2018 data breach. 

“Regardless of the number of individuals affected, the type of information hackers had access to leaves Sprint customers vulnerable to identity theft and fraudulent activity,” Bitglass Chief Technology Officer Anurag Kahol said. “When armed with payment card information and personally identifiable information, malicious parties can engage in highly targeted phishing attacks, make fraudulent purchases, sell said data on the dark web for a quick profit, and much more.” 

Kahol noted that while Sprint has resecured all compromised accounts by resetting PIN codes, it’s not known when hackers first gained access to customer accounts, and what damage may already be done.