Sprint says customer accounts were breached via Samsung.com

17 Jul 2019

Image: © maria_savenko/Stock.adobe.com

Samsung said it has deployed measures to prevent further attempts to breach its website.

Yesterday (16 July) US telecoms company Sprint said that an unknown number of its customers’ accounts had been breached by hackers.

In a letter to the affected customers, Sprint revealed that it was informed of the hack on 22 June. Sprint told these customers that their credentials had been accessed through Samsung.com’s ‘add a line’ website.

In Sprint’s letter, which was shared on ZDNet, the company said: “The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services. No other information that could create a substantial risk of fraud or identity theft was acquired.”

The mobile phone operator then told the impacted users that it had taken appropriate action by resetting the PIN associated with any of the accounts that may have been at risk. Sprint said: “We take this matter, and all matters involving Sprint customer’s privacy, very seriously.”

As pointed out by ZDNet: “The Sprint account breach notification lacks a few important details, such as the number of breached accounts, the date when hackers first started accessing Sprint accounts via the Samsung.com website and if hackers modified any customer account details.”

The publication reached out to Sprint for comment, but had not received a response to its query by the time of publishing Sprint’s letter to customers.

Sprint told Gizmodo that a dedicated care team had been established to assist users who were affected and concerned by the breach.

A spokesperson from Samsung told CNET: “We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung.

“We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts.”

Boost Mobile breach

This isn’t Sprint’s first public issue with cybersecurity. In May, Sprint mobile network Boost Mobile made headlines after the company reported a breach affecting an unknown number of customers.

At the time, Boost quietly notified customers, telling them: “Boost.com experienced unauthorised online account activity in which an unauthorised person accessed your account through your Boost phone number and Boost.com PIN code. The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorised account activity.”

You can read Sprint’s notification from May here.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com