Boost Mobile Disclosed Credential Stuffing Attack Two Months Post-Breach

Boost Mobile suffered from a credential stuffing attack but they only notified users two months after.Boost Mobile users were only notified of the breach two month after. Image from Mike Mozart | Flickr | CC BY 2.0

The rise of the internet has helped businesses in countless ways, especially in terms of communication. One of the innovations that have revolutionized industries and opened new opportunities to millions of small and medium enterprises (SMEs) is the VoIP or Voice over IP. The technology allows businesses to make and receive calls using the internet, which is practically a lot more inexpensive than traditional telephone lines.

However, as VoIP operates through the world wide web, technology is also vulnerable to cyber attacks. This is evidenced by what happened to Sprint-owned virtual mobile network operator Boost Mobile when they were targeted by a particular cyber attack.

The alarming part of what happened to Boost Mobile is that they failed to alert their users immediately after they found out that their data were breached. According to a recent “quiet” announcement, Boost Mobile suffered from a data breach two months ago that allowed hackers to access some user accounts.

“ experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and PIN code,” said the notification. “The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity.”

According to the notice posted on the Boost Mobile website, the said breach occurred on March 14th, 2019, but it seems that they only notified their customers and disclose information about the breach two months after they discovered the cyber attack. According to the notice, the breach resulted in several customer phone numbers and PIN codes being exposed.

No information was also disclosed regarding how many people are affected by the current breach. But the company notified California’s attorney general regarding the incident, means the number of victims could be more than 500.

Note: Legislations in California require businesses to inform the attorney general whenever a data breach affecting 500 or more people.

While the company kept mum on the number of victims, they, however, was able to confirm that the data breach was a consequence of a targeted attack.

“The Boost IT team identified unusual activity on a page of the website, blocked access and not long after implemented a permanent solution,” said the spokesperson. “Customers’ credit card and social security numbers are encrypted and were not compromised.”

The notification also noted that the hackers used the phone numbers and PIN collected from the breach in accessing customer accounts in the Boost Mobile website. These codes can be used to alter account settings. Hackers can automate account logins using lists of exposed usernames and passwords — or in this case phone numbers and PIN codes — in what’s known as a credential stuffing attack.

Credential stuffing attacks have been designed by hackers to be completely automated, making use of extensive collections of stolen credentials bought from the black market to be able to brute force their entry to a computing system. Other several companies have been attacked by this type of modus operandi as well. Credential stuffing attacks have also infiltrated the networks of other popular brands such as TurboTax, Dunkin’ Donuts, Basecamp, and Dailymotion in the first quarter of 2019.

A similar incident also happened to the popular Japanese clothing brand UNIQLO, when a credential stuffing attack also compromised data of almost 500,000 customers. Nearly half a million accounts have been compromised as the internal server of the famous Japanese clothing brand, UNIQLO, has been breached, according to a notification sent out by the company today.

The announcement states that the UNIQLO Japan and GU Japan online stores have been hacked and third parties were able to gain access to 461,091 customer accounts following a credential stuffing attack on their servers.

According to the notification that the company sent out to the affected accounts, the credentials stuffing attack, which led to the data breach, took place between April 23rd and May 10th this year. However, the number of compromised account could be higher because the investigation is yet to be concluded.

“While the number of incidents and circumstances may change during the investigation, Fast Retailing is today providing notice of the facts as determined at present, and the company’s response,” says Fast Retailing.

Meanwhile, Boost Mobile said that they have already sent temporary PINs to affected customers via a text message. It is still unclear whether the two incidents were related or not.

1 Comment on "Boost Mobile Disclosed Credential Stuffing Attack Two Months Post-Breach"

  1. Barbara Garcia | June 25, 2019 at 6:54 am | Reply

    How would you know if this has happened to you ? I have two lines in my name on my account

Leave a comment

Your email address will not be published.