One of Canada’s three big wireless carriers was hacked last month, with the attacker making off with customer names and phone numbers for two months during the summer of 2017. The stolen data is already on sale online.
According to Bleeping Computer, Telus has begun notifying customers by email that a database of subscribers to its low-cost Koodo service about the violation of security controls.
The email says that on Feb. 13 an unauthorized third party using compromised credentials accessed the Koodo system and copied data for the months of August and September 2017. This data included customer mobility account number and telephone number. If that information changed since then, it wasn’t compromised.
However, account and phone numbers could be used by a criminal to switch a customer’s mobile to other numbers. That would enable the attacker to receive a two-factor authentication code if that safety capability has been enabled. As a result, Koodo said it has enabled the “Port Protection” feature on the affected accounts, which prevents attackers from porting a Koodo Mobile number to another carrier unless the account holder first calls and requests it to be done.
“We have found evidence that the unauthorized third party is offering the information for sale on the dark web,” the email to affected customers says. “With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to law enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter.”
However, the news story also says the notice to customers advises them to stop using their mobile number as the second factor in a 2FA setup.