Yesterday, Mint Mobile’s co-founder, Rizwan Kassim, posted to Reddit acknowledging recent security issues. Here’s the key excerpt:
So what happened? We can’t share much, but in short, Mint Mobile was the victim of a social engineering incident last month that impacted a small number of subscribers. We have been in contact with impacted subscribers and quickly restored their services. We also continue to investigate this incident.
The post is sparse on details, and I don’t entirely accept Mint’s claims about being unable to share further information. However, Mint deserves credit for making the post and pinning it to the top of the r/MintMobile subreddit.
As best as I can tell, something happened almost a month ago that led to Mint subscribers becoming victims of SIM swap attacks. At least two reports surfaced to Reddit. I’m suspicious a significantly larger number of customers were affected, and I’ve asked Mint to clarify.
About a month ago, Mint also had an incident where a large number of subscribers received unexpected password reset notifications. I think that incident was unrelated to the recent SIM swapping, but I’m not sure.
Mint’s Ticking Time Bomb
Mint walked into its latest security troubles. I wrote the bit below over a year ago:
While searching through old Reddit posts this morning, I realized Mint subscribers were regularly talking about this security issue for at least two years. Lots of Reddit posters have asked Mint to implement two-factor authentication or secure PINs for porting numbers. Here’s one notable example from six months ago:
Mint really, really, really needs to add the ability to have a user-set PIN (that they store in their system as a hash, so no one inside can ever see the PIN plaintext, just confirm that you have the right one)…It is totally mystifying to me and other security professionals why r/rizwank [Rizwan Kassim, Mint co-founder] is setting himself and the otherwise-great company he created up for massively bad publicity and legal expenses when his users get hacked en masse by eastern european mafiosos. As Mint grows this is inevitable as long as Mint refuses to implement PINs.
For quite a while, Mint has claimed to be interested in adding security features. The latest issues may lead the company to prioritize actually releasing something.