Verizon warned prepaid customers that attackers gained access to an undisclosed number of Verizon accounts and used exposed credit card info in SIM swapping attacks.
“We determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account,” Verizon said in an alert published this week.
“Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred, Verizon has reversed it.”
Verizon added that it blocked further unauthorized access to its clients’ accounts and found no evidence that this malicious activity is still ongoing.
The company also reset the Account Security Codes (PINs) for an undisclosed number of customers “in an abundance of caution.”
According to the notification, the attackers couldn’t access the full credit card number or the customers’ banking information, financial information, passwords, Social Security numbers, tax IDs, or other personal details since user accounts don’t contain this info.
However, Verizon said the threat actors could have accessed names, telephone numbers, billing addresses, price plans, and other service-related information on compromised accounts.
SIM swap attack used to steal crypto
One of the Verizon customers who received this notice told BleepingComputer that they were the victims of a SIM swap attack more than a week before Verizon alerted customers.
“On 10/7 when I was sim-swapped, the attackers breached my email and attempted to access my crypto accounts,” they told BleepingComputer.
“I suspect they used information from the Coinbase breach to target me but got access due to the exposure of credit card info from Verizon.”
SIM swapping (aka SIM hijacking, SIM splitting, or SIM jacking) allows criminals to take control of a target’s phone number by convincing their mobile carriers to swap the phone number to an attacker-controlled SIM card using social engineering or with the help of bribed employees.
While Verizon’s notification was published on its website earlier this week to warn customers of these attacks, the telecom giant made sure that search engines won’t index the page by adding ‘noindex’ and ‘nofollow’ tags to its metadata.
Once the phone number is locked, it can no longer be ported to another line/carrier or swapped to another SIM unless the account owner removes the lock.
BleepingComputer reached out to multiple Verizon spokespersons for more info on how many customers were affected but did not receive a reply before the article was published.