US telecoms company Sprint has informed some customers that their Sprint accounts have been accessed by hackers via a Samsung website.
In a letter sent out to impacted customers, Sprint said it learned of unauthorized access to accounts on June 22 and affected accounts were “re-secured” on June 25. The company said the attackers gained access to personal information via Samsung’s “add a line” website, which allows customers to add a new line of service to their plan.
According to Sprint, information such as name, phone number, billing address, device type, subscriber ID, account number, account creation date, monthly recurring charges, upgrade eligibility, and add-on services may have been compromised.
“No other information that could create a substantial risk of fraud or identity theft was acquired,” Sprint said.
The company claims it has not detected any fraudulent activity associated with impacted accounts, but it has warned customers that their PIN has been reset as it may have been compromised.
Samsung told CNET that the Sprint login credentials used to access accounts were not obtained from its own systems, which suggests that the attackers used credentials from a third-party breach and relied on the fact that many users set the same password for multiple online services.
“We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts,” Samsung said.
SecurityWeek has reached out to Sprint for more details about the attack and the number of impacted customers, but the company has yet to respond.
“Even though the exact amount of Sprint customers affected is unknown, the company claimed 54.5 million customers in Q1 2019. For security and privacy reasons, every user should assume that his or her information may have been compromised in this breach,” said Ben Goodman, CISSP and SVP of global business and corporate development at ForgeRock. “The information exposed in this latest breach of Sprint’s customers can be combined with previously stolen data to create effective credential stuffing lists for brute force attacks on other accounts or even highly targeted phishing attacks. All of Sprint’s customers should take precautionary measures to protect other accounts by enabling multi-factor authentication (MFA) and changing login credentials.”
“Even if Sprint’s website was secure, the intruders gained unauthorized access via Samsung.com. The attack landscape is constantly expanding and organizations must be prepared to secure customer data by implementing security strategies and tools that respect customer privacy and prescribe real-time, contextual and continuous security that detect unusual behavior and prompt further action, such as identity verification via MFA,” Goodman added.
Earlier this year, Sprint subsidiary Boost Mobile warned an unspecified number of customers about unauthorized access to their accounts.
Related: T-Mobile Data Breach Hits Over 2 Million Customers
Related: Canadian Telecom Firm Freedom Mobile Exposed Customer Details