On January 1, a technologist who goes by the nickname regexer received an email saying he had successfully reset his account at the crypto exchange Coinbase.
Unfortunately — and worryingly — he had actually not requested a password reset. Regexer, who asked to be referred to by his online moniker for fear of being targeted by hackers again, quickly realized he was being hacked, and his attempts to log into his Coinbase to regain control were unsuccessful.
Soon after, he noticed he had no cell phone service. Then, his two-factor app, Authy, notified him that a new device was added to his account. After the hackers took control of regexer’s cell phone service, the hackers were able to reset the passwords on his accounts and intercept two-factor SMS messages. That allowed the hackers to take control of Authy, giving them the ability to use the 2FA codes created by the app, according to regexer.
This gave them a chance to break into even more accounts owned by regexer.
“Now I don’t know what the hell is going on. I am totally owned,” regexer told TechCrunch, recalling the incident.
Unsure what to do, regexer started changing passwords on his other important accounts that had apparently not been compromised yet. Then, on a whim, he turned airplane mode on and off on his iPhone. Somehow, after that, his cell phone service was restored.
Regexer isn’t sure if turning airplane mode on and off is what stopped the attack, but he is glad that it happened.
For weeks, regexer had no idea how he had been hacked. Then, on Monday, he received an email from his cell phone provider, Google Fi, informing him and all other customers that hackers had stolen some customers’ information, likely connected to the recent breach at T-Mobile.
Unlike for other customers, the email regexer received contained more detailed information about the hack he suffered weeks prior.
“Other data related to your Google Fi account also may have been accessed without authorization, such as a zip code, and the service/emergency address associated with your account,” read the email, which regexer shared with TechCrunch. “Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.”
Regexer said he has talked to two Google Fi customer representatives trying to figure out more details about what happened, but neither of them told him anything. And, interestingly, regexer didn’t see any evidence that his Google account, which is tied to the Google Fi account, was compromised. It’s unclear how the hackers were able to perform the SIM swap.
Google has not responded to a request for comment. And it’s not yet known if there were other people, or how many, specifically targeted by hackers the way regexer was.
While the attack was ongoing, regexer found out the hackers had also taken over his Outlook email account, and — smartly — in an effort to hide their actions, deleted the emails informing of the password reset.
Even though nothing else happened since January 1, regexer is still worried and is calling on Google to disclose more information.
“The main thing I’d like to know is whether I and others are still vulnerable, and if there’s anything we can do to protect ourselves. I’d love to know more details about the mechanisms that were used for the phone number takeover because that will shed light on the level of ongoing vulnerability and methods for defense, as well as whether SMS two-factor remains better than no two-factor at all. (I can replace SMS for some online accounts, but not all. Many banks and others only allow two-factor via SMS.) I’d also love to know how many people had their phone numbers hijacked in connection with the breach, and, if it was a small subset, was there any reason that we in particular were targeted,” regexer said.
“So unless Google sheds more light on the attack, there is a big open question about how vulnerable people’s phone numbers now are.”
The website for ODIN Intelligence, a company that provides technology and tools for law enforcement and police departments, was defaced on Sunday. The apparent hack comes days after Wired reported that an app developed by the company, SweepWizard, which allows police to manage and coordinate multi-agency raids, had a significant security vulnerability that exposed personal information of […]
DNV, a Norwegian shipping classification society, has confirmed its systems were hit by a ransomware attack, affecting around 1,000 ships that rely on its technology. The Oslo-based DNV said in a statement on Wednesday that its ShipManager software was targeted by file-encrypting malware on January 7, forcing the organization to shut down its servers. ShipManager is a fleet management […]
With lidar companies Ouster and Velodyne officially merged, CEO Angus Pacala has identified the next phase of growth. And it’s not self-driving cars or even advanced driver assistance systems. It’s smart infrastructure. “I keep saying this and people think I’m crazy, but there’s a good chance that smart infrastructure becomes our biggest vertical by a long shot […]
Leave a Reply