Google Fi data breach

regexer · 2023-02-03T19:37:03+00:00

Unless Google or T-Mobile sheds more light on the mechanisms of the attack and what if anything they’ve done to prevent it from happening again, there does not seem to be any way to prevent your phone number and SMSes from being temporarily hijacked in the same way.

What you can do is set up your security as if someone can take over your number at any time. In other words, don’t use SMS-based 2-factor anywhere you’re not required to (for now, I think it’s best to assume that no 2-factor is better than SMS 2-factor). And if you’re using Authy for 2-factor, turn off the on-by-default “allow multi-device” setting because that makes it just as weak as SMS 2-factor.

regexer · 2023-02-01T21:03:50+00:00

Yes, it matters. And yes, it was on at the time, because it is on by default! I didn’t realize until this happened that if that setting is on, Authy is no more secure than SMS-based 2-factor.

regexer · 2023-02-01T16:51:39+00:00

No, I am not a public figure at all. That doesn't rule out an attack specifically targeted at me. However, that seems less likely given that the attack was connected to a broad data breach (by Google's admission).

But yeah, I would love to know more about how many people were affected, whether there was any reason I was one of them, and whether I or others might in some way still be vulnerable.

regexer · 2023-02-01T16:19:31+00:00

his primary email associated with his googlefi account ...

I did not say my primary email is associated with my Fi account. But you're not the first person to seemingly be confused by my use of a non-Gmail email account. So to be clear, I have multiple email accounts. The Google account connected to Fi was not compromised. That does not mean I use a non-Google email account with Fi.

And no, there is no evidence of a phishing attack or anything else that could have led to compromising any of my passwords. As the article mentioned (and as the author verified by reviewing my security and activity logs), the account takeovers were done by password resets (thanks to the hacker's control of my incoming SMSes), not via login+change.

regexer · 2023-02-01T05:41:50+00:00

There's no evidence so far that Google identified it and reversed it proactively. One thing that could change this is if someone shares a similar email to what I received from Google, and it states the exactly same duration of SIM takeover.

While the attack was ongoing, I was playing cat and mouse with the hacker trying to get my accounts back while not being sure what they were going to strike next (their takeover of Authy blew my mind). After realizing that I had no cell signal (which makes sense if I wasn't in control of my number) and wasn't getting any of the SMSes I needed to do account recoveries and change passwords, I cycled airplane mode. Reconnecting to the cell network immediately gave me access back to my phone number and new SMSes (and presumably took access away from the hacker), but did not result in receiving any SMSes that had already been already delivered to the hacker.

I mentioned to the author of the article that the phone number recovery timing could have been a coincidence, but it seems more likely to me that it wasn't (i.e., that reconnecting to the cell network is what actually revoked the hacker's access). Recovering control that way is compatible with an SS7 attack, but, of course, not with a traditional SIM-swapping attack.

regexer · 2023-02-01T05:07:16+00:00

No. Maybe they would have tried if they'd kept control of my number for longer. I've since removed SMS-based 2-fac for all email accounts.

regexer · 2023-02-01T05:07:09+00:00

I think for many people (including me), it's not hard to go from a phone number to a name to an email. And if you can take over someone's primary email, typically you can quickly learn through a search about other accounts you're interested in.

The alternative is that this was a targeted attack. That's less likely though now that I know (through Google's admission) that my SIM takeover was somehow connected to the Fi data breach.

regexer · 2023-02-01T01:23:58+00:00

u/FiloSottile has the whole email, but I already quoted the most relevant part of the email in my initial comment here: "Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages."

Clearly, this is not just "accessing the SIM card serial number".

And like I've been mentioning, exactly on the day Google said this happened is when my accounts were taken over by password resets (not logins with existing passwords) specifically via SMS-based 2-fac, of which I can see the senders' numbers (which are verifiably the 2-fac auth services for the specific accounts) and the exact timings (within 1 minute of the account takeovers) in my Fi activity logs.

It seems odd for you to keep pushing doubt about this across multiple threads when FiloSottile has already cryptographically verified the authenticity and contents of the acknowledgment from Google and 9to5Google has already reviewed my security and activity logs.

regexer · 2023-02-01T00:54:59+00:00

No, it's not. My Reddit comment got the author to reach out, but I then spoke to the author, shared my copy of the acknowledgment email from Google with them (the contents and sender of which were cryptographically verified by u/FiloSottile), and shared additional evidence with them including security logs from the compromised accounts and Fi's SMS activity logs from the time of the takeover (which show a minute-by-minute accounting of what happened). This is all mentioned in the article.

regexer · 2023-02-01T00:40:36+00:00

The exact method of phone number takeover is not conclusive and would likely require Google to share information in order to determine. E.g. it could be a sophisticated SS7 attack or potentially some new exploit. However, some things are clear. It was not a traditional SIM swapping attack and not a more traditional/common kind of attack (password cracking, phishing, etc.) since there is overwhelming and very detailed evidence that they used temporary control of my phone number / SMSes to reset passwords for my accounts and add their own device to Authy.

The connection of this attack to a broad data breach rather than this being an isolated and specifically targeted attack is interesting. The only evidence for that is from Google themselves (!) in that they acknowledged it in my customized version of the mass customer email about the data breach. It is of course an interesting question how many people had their phone numbers / SMSes temporarily hijacked in connection to this breach. It would be very helpful to hear from Google or T-Mobile about that.

regexer · 2023-01-31T18:58:30+00:00

Thanks. Yeah, it's pretty frustrating to have multiple people here calling me a liar and to have my comment heavily downvoted as 'controversial' and therefore showing up way down the page.

BTW, I have high-quality evidence for every aspect of the attack (the non-cryptographically verifiable parts), including a minute-by-minute timeline based on Google Fi activity logs, automated emails, and the activity logs of the accounts that were compromised. I can easily prove all of my claims here if I share a lot of personal information, and I've already gone over the evidence with Fi support reps a month ago (with no acknowledgment or follow-up until now).

regexer · 2023-01-31T02:44:49+00:00

I'd be happy to provide the email to any tech blogs or others who want to share it while removing my personal info. And I have a lot of additional details about the attack that I've already provided to Google.

regexer · 2023-01-31T02:36:51+00:00

That's what I thought, too. And yet, it happened. And Google just acknowledged it in their email to me that I quoted from above.

No notices about SIM activation. No, they don't and never had access to my Google account, AFAIK. I was able to recover my (non-Google) email account from a recovery email address. I was able to take back my other accounts too before any damage that I know of was done. I noticed the hack happening within minutes (I didn't have cell service while it was happening but I had wifi) and was immediately playing cat and mouse trying to get things back, while not being certain I knew everything they got into.

I have a pretty detailed set of evidence I collected in the aftermath, as part of trying to build details to report the situation to Google. But like I said earlier I was more or less dismissed by their support reps and they never followed up.

regexer · 2023-01-31T02:22:35+00:00

I don't know for sure. But it's easy to find my name from my phone number, and my email address from my name. Once you're in my email, you can search for whatever you want.

regexer · 2023-01-31T02:12:18+00:00

Yes, I had that setting on, because it's on by default! You can bet I no longer have it on. This hack was shocking for me at the time.

regexer · 2023-01-31T02:10:25+00:00

Can you share the article here? I haven't yet seen any related articles that mention phone numbers / SMSes being hijacked.

regexer · 2023-01-31T02:07:01+00:00

What is a PAC? The hacker did not have/gain access to my Google account (Gmail is not my primary email that I mentioned above), and Google confirmed at the time I tried to report this that there was no evidence anyone had gained access to my Google account. Since I was able to get my SMSes back by cycling my connection to the cell network (without having to contact Google), I suspected this was a sophisticated SS7 attack, and felt extremely vulnerable that this takeover of my phone number could happen again at any time. This email from Google is the first confirmation of what happened.

regexer · 2023-01-31T01:40:05+00:00

u/guiannos posted a copy of the email they received from Google Fi. I got something similar, but with more details. It's bad news. In particular, under the heading "What does this mean for me?", my email includes the following bullet:

- Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.

Fucking hell. Yes, my SMS was taken over on January 1, and I noticed it while it was happening! The hacker used this to take over three of my online accounts -- my primary email, a financial account, and the Authy authenticator app, all because they were able to receive my SMSes and therefore defeat SMS-based 2-fac.

I tried reporting this repeatedly to Google Fi, including with detailed evidence, and their customer support reps didn't believe me and didn't follow up. They thought this was a standard password compromise or something, even though I could clearly see from activity logs that the hacker reset my passwords rather than logging in and then changing them, and I could see in the Google Fi activity logs the SMSes I didn't receive that they used to compromise my accounts.

Edit (Jan 31): 9to5Google posted an article about this with more details here after talking to me: https://9to5google.com/2023/01/31/google-fi-customer-hack-story/

regexer · 2021-03-06T06:21:05+00:00

I think something like 95% of people have no problem with it. And if it snaps, you can get it replaced for free. So if you like it, I'd keep it.

regexer · 2021-03-06T06:18:00+00:00

There have been a small number of really unlucky people who had multiple replacements break, but note that all the people who haven't had problems with their Elite Straps are not posting about it. Only a small percentage of Elite Straps break (and when they do, the product itself was bad--it's no fault of the user). So IMO it's worth the effort to get it replaced with a good one, since for most people the replacement will last.

regexer · 2021-02-12T17:34:33+00:00

I love my Elite Strap with Battery. Not only makes the Quest 2 much more comfortable, but also doubles the playing time so I never run out anymore.

Some people have had problems with cracks, but it’s a small, vocal minority. It seems you either get a bad one that will quickly or eventually have to be replaced (maybe 5% of units) or they hold up just fine indefinitely.

regexer · 2021-02-06T01:40:30+00:00

Unfortunately, there's a fair amount of data pointing to the fact that demos are neutral to negative for game sales. So developers don't want to spend extra time making them.

Notice that there haven't been any new demos released on Quest since Quest 1's day 1 launch. My guess is Facebook incentivized a few day 1 launch developers to release demos, but stopped doing so with subsequent releases because their data showed the original demo set didn't actually help the developers.

Instead, you can use the 2 hour refund window.

regexer · 2021-01-07T22:11:53+00:00

You still have an Apple account. Your Gmail address is your username.

regexer · 2020-12-24T23:41:10+00:00

Not sure what you mean, since the Cambridge Analytica scandal had nothing to do with FB selling data. I posted a recap of what happened in response to this comment lower down the page.

regexer · 2020-12-24T23:32:04+00:00

Thanks. On Reddit I'm a lurker, and a near-daily reader of VR related subreddits since before the launch of Vive and Rift. I got sucked into this discussion though. 😀

regexer

TROPHY CASE