Sprint’s mobile network Boost Mobile recently admitted to hackers having breached their customers’ accounts through their main website. The data breach originally occurred back in March and was only recently announced.
A website notification was posted to which the company stated that their site “experienced unauthorized online account activity [and that] an unauthorized person accessed [user] account[s] through [their] Boost phone number and Boost.com PIN code.” The company’s fraud team noted how the incident was quickly taken care of through “a permanent solution [that was used] to prevent similar unauthorized account activity.”
According to TechCrunch’s communication with a Sprint spokesperson, Boost Mobile had encrypted any social security or credit card information, leaving such sensitive data uncompromised in the data breach.
Due to the breach affecting a large consumer base of over 500 people, the company had to notify the California attorney general through written notice.
Through access to Boost Mobile’s user account names and PINs, hackers can utilize a type of cyberattack known as credential stuffing to automate and send login requests on the Boost Mobile site to access consumer accounts. The company has already sent a text with a new temporary PIN to those affected by the breach. Users can log into their accounts with the link provided in the text message in order to set a new PIN code. Boost Mobile recommends users reset their PINs if they have not done so already.
In the meantime, the company has also recommended that customers regularly check their Boost Mobile accounts for any fraudulent activity and to report any identity theft or fraud to consumer credit reporting companies.