Google Fi hack victim had Coinbase, 2FA app hijacked by hackers

Google Fi hack victim had Coinbase, 2FA app hijacked by hackers

On January 1, a technologist who goes by the nickname regexer received an email that he had reset his account on the crypto exchange Coinbase.

Unfortunately – and worryingly – he hadn’t actually asked for a password reset. Regexer, who asked to be referred to by his online moniker for fear of being targeted by hackers again, quickly realized he was hacked and his attempt to log into Coinbase to regain control was unsuccessful.

Soon after, he noticed he had no cell phone service. Then his two-factor app, Authy, notified him that a new device was added to his account. After taking control of Regexer’s mobile phone service, the hackers were able to reset the passwords on his accounts and intercept two-factor SMS messages. That allowed the hackers to take control of Authy, giving them the ability to use the 2FA codes created by the app, according to regexes.

This gave them a chance to break into even more accounts owned by regexers.

“Now I don’t know what the hell is going on. I’m totally owned,” regexer told TechCrunch, recalling the incident.

Unsure of what to do, regexer began changing passwords on his other important accounts that apparently hadn’t been compromised yet. Then, on a whim, he turned airplane mode on and off on his iPhone. Somehow, after that, his cell phone service was restored.

Regexer isn’t sure if toggling airplane mode on and off was what stopped the attack, but he’s glad it did.

For weeks, regexers had no idea how he had been hacked. Then, on Monday, he received an email from his cell phone provider, Google Fi, informing him and all other customers that hackers had stolen some customers’ information, likely related to the recent breach at T-Mobile.

See also  Cybersecurity 101: Politicians show companies what not to do

Unlike for other customers, the email contained regex received more detailed information about the hack he suffered weeks before.

“Other data related to your Google Fi account may also have been accessed without authorization, such as a zip code, and the service/emergency address associated with your account,” read the email, which Regexer shared with TechCrunch. “In addition, on January 1, 2023 for approximately 1 hour and 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During this temporary transfer, the unauthorized access may have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been opened. We have restored Google Fi service to your SIM card.”

Regexer said he has spoken to two Google Fi customer representatives to find out more details about what happened, but neither told him anything. And interestingly, regexers saw no evidence that his Google account, which is linked to the Google Fi account, was compromised. It is unclear how the hackers were able to perform the SIM swap.

Google did not respond to a request for comment. And it is not yet known if there were other people, or how many, specifically targeted by hackers as regexes were.

While the attack was in progress, regexes found that the hackers had also taken over his Outlook email account and – cleverly – in an attempt to hide their actions, deleted the emails informing about the password reset.

See also  How to know if your computer has been hacked

Although nothing else has happened since January 1st, regexers are still concerned and are asking Google to reveal more information.

“The most important thing I want to know is whether I and others are still vulnerable, and whether there is anything we can do to protect ourselves. I would like to know more details about the mechanisms used for the phone number takeover, because it will shed light on the level of current vulnerability and defense methods, as well as whether SMS two-factor remains better than no two-factor at all. (I can replace SMS for some online accounts, but not all. Many banks and others only allow two-factor via SMS.) I’d also like to know how many people had their phone numbers hijacked in connection with the breach, and, if it was a small subset, was there any reason we were specifically targeted, regexers said.

“So unless Google sheds more light on the attack, it’s a big open question about how vulnerable people’s phone numbers are now.”

Are you a Google Fi subscriber who also fell victim to a similar attack? Did you also get a personal notification from the company about the hack against you? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email [email protected] You can also contact TechCrunch via SecureDrop.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *