Sprint Breach Via Samsung Website Exposes Customer Data

Threat actors broke in through Samsung’s ‘add a line’ website and might have viewed a broad array of personal customer information such as phone numbers, account numbers, subscriber IDs, and customer IDs.

Hackers broke into an undisclosed number of Sprint customer accounts through Samsung's "add a line" website, according to a letter sent to affected customers.

The Overland Park, Kansas-based telecommunications giant said threat actors might have viewed a broad array of personal customer information, including phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address, and add-on services.

Sprint said it was first notified of the breach on June 22, and re-secured customer accounts by resetting PIN codes on June 25. Threat actors didn't acquire any other information that could create a substantial risk of fraud or identity theft, according to the company.

[Related: The 13 Biggest Data Breaches of 2019 (So Far)]

"We apologize for the inconvenience this may cause you," Sprint wrote in the letter to impacted customers, which was posted on Scribd. "Please be assured that the privacy of your personal information is important to us."

Samsung said in a statement that it recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that weren't obtained from Samsung. The company said it has deployed measures to prevent further attempts of this kind on Samsung.com.

"Samsung takes security very seriously," the company said in the statement. "No Samsung user account information was accessed as part of these attempts."

Sprint didn't indicate in its letter how many customer accounts were breached, when hackers were first able to break into account via Samsung.com, or how the telecom giant first learned about the breach.

In a statement, Sprint said that on June 22, the company “was informed of unauthorized access to Sprint accounts using customer account credentials via the Samsung.com ‘add a line’ website. On June 25, 2019 Sprint re-secured all accounts by resetting customer PINs and via text message notified all potentially impacted customers. Information such as customers’ account Personal Identification Numbers (PINs) may have been compromised, however credit card and social security numbers are encrypted and were not compromised.”

The company added that “because Sprint takes this matter, and all matters involving our customers’ privacy, very seriously, in addition to the initial customer notification, Sprint is taking the extra step of separately sending letters to impacted customers to remind them to update their existing PINs and that a dedicated Care Team has been established for assistance. As a precautionary measure, we have also provided information on tools and resources that will help our customers safeguard their personal information.”

This is the second time in 2019 Sprint has needed to send a breach notification letter to customers. The first came in May, when the company said threat actors used Boost.com PIN codes and phone numbers to access users' Sprint accounts.