US mobile network operator Sprint said hackers broke into an unknown number of customer accounts via the Samsung.com “add a line” website.
“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com ‘add a line’ website,” Sprint said in a letter it is sending impacted customers.
“The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services,” the US telco said.
Sprint said the information hackers had access to did not pose “a substantial risk of fraud or identity theft,” although, many might disagree with its assessment.
The company said it re-secured all compromised accounts by resetting PIN codes, three days later, on June 25.
Unknown number of compromised accounts
The Sprint account breach notification lacks a few important details, such as the number of breached accounts, the date when hackers first started accessing Sprint accounts via the Samsung.com website, and if hackers modified any customer account details.
ZDNet reached out to Sprint with all these questions, along with an inquiry of how Sprint discovered the breach in the first place. A spokesperson did not respond in time for this article’s publication.
This is the second account breach notification letter Sprint is sending this year. The company also suffered another breach via Boost Mobile, a virtual mobile network and Sprint subsidiary.
In May, Sprint said hackers used Boost phone numbers and Boost.com PIN codes to access users’ Sprint accounts.
US mobile network operator Sprint recently reported that hackers gained unauthorized access to an unspecified number of customer accounts through the Samsung.com “add a line” website. According to a letter Sprint is sending to affected customers, the company learned about the breach on June 22.
The letter explains that hackers used customers’ account credentials to access personal information via the Samsung.com website. The exposed information may include phone numbers, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, names, billing addresses, and add-on services. Despite this, Sprint claims the compromised data does not pose “a substantial risk of fraud or identity theft,” though many customers may question this assessment given the range of information exposed.
To address the breach, Sprint took action three days after discovering the incident by resetting the PIN codes on all affected accounts, effectively re-securing them by June 25. However, key details remain unclear. Sprint’s notification did not disclose how many accounts were compromised, when hackers first gained access, or whether they made any changes to customer account details during the breach.