[BreachExchange] Boost Mobil says hackers broke into customer accounts

[Destry Winant]

https://techcrunch.com/2019/05/13/boost-mobile-hackers-accounts/

Boost Mobile, a virtual mobile network owned by Sprint, has confirmed
hackers have broken into an unknown number of customer accounts.

The company quietly posted a notification of its data breach almost
exactly two months after March 14, when Boost said the breach
happened.

“Boost.com experienced unauthorized online account activity in which
an unauthorized person accessed your account through your Boost phone
number and Boost.com PIN code,” said the notification. “The Boost
Mobile fraud team discovered the incident and was able to implement a
permanent solution to prevent similar unauthorized account activity.”

A Sprint spokesperson didn’t say how many customers are affected, but
said Boost “was the target of a security data breach.”

“The Boost IT team identified unusual activity on a page of the
Boost.com website, blocked access and not long after implemented a
permanent solution,” said the spokesperson. “Customers’ credit card
and social security numbers are encrypted and were not compromised.”

The company also notified the California attorney general, which
companies are required to do if more than 500 people in the state are
affected by the same security incident.

Boost Mobile reportedly had 15 million customers in 2018.

The hackers used those phone numbers and account PINs to break into
customer accounts using the company’s website Boost.com, said the
notification. These codes can be used to alter account settings.
Hackers can automate account logins using lists of exposed usernames
and passwords — or in this case phone numbers and PIN codes — in
what’s known as a credential stuffing attack.

Boost said it has sent to affected customers a text with a temporary PIN.