Google Fi, Google's telecommunications service, has confirmed a data breach that is likely connected to the recent security incident at T-Mobile that exposed the personal data of 37 million customers.
In an email sent to customers, Google said that the primary network provider for Google Fi informed them of a suspicious activity involving a third-party system that contained a "limited amount" of Google Fi customer data.
While the email didn't explicitly mention T-Mobile, it's very likely that the breach was connected to T-Mobile's incident. This is because Google Fi relies primarily on T-Mobile's 5G network aside from US Cellular for network connectivity, and only the former is known to have recently suffered a security incident.
Regarding the Google Fi data breach, Google says the threat actors gained access to data such as phone numbers, SIM card serial numbers, account statuses, account activation dates, and whether a subscriber has international roaming or unlimited SMS. The search giant claims that the attackers didn't take customers' personal information, payment card data, Google Fi passwords or PINs, or the contents of SMS messages or calls.
The email says that there is no action required from customers. However, as TechCrunch points out, one Google Fi customer claimed that their phone was briefly hijacked as a result of the attack. A portion of their email from Google read:
Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.
It is not yet known how many people have been affected by the Google Fi data breach as of this writing. Google did say, however, that it is working with its primary network provider to secure the data on the aforementioned third-party system.
Source: Android Police via TechCrunch