"This is still very raw (I haven't even told my family yet)," Coonce wrote in an anguished medium post. "On a Monday night in June, Matthew Miller's daughter woke up to say that his Twitter account had been hacked." . He had no cell phone service; Within a few days Miller solved his Gmail and Twitter account and $ 25,000 from his family bank account.
A Miller's case, the attacks deactivated all his Google services, deleted all his tweets, and blocked most of his 1
Both men were victims of SIM swap attacks, where someone uses pieces of personal information to find your cellular service provider for transfer (port) your number and associated phone account to a device in the attacker's possession. With control of your phone number and account, they proceed to break into all connected accounts, usually beginning with email. The attacker changes info in your accounts so you can't get them back, sets up email forwarding in case you regain control of your email, and goes through all your cloud-stored documents looking for things of value.
It is a uniquely personal and invasive attack. Thanks to Coonce and Miller, we now know and lot more about how these attacks are done and how terrible the destruction is. In Miller's case, we learned how unhelpful T-Mobile, Google, and Twitter were – with both Twitter and Google, Miller was stuck in filling out online account recovery forms and sending them off into an abyss or automated response. And for that wondering, Miller used two-factor (text / SMS) as an extra layer of security for his accounts. But with his phone out of his hands, it didn't matter.
Miller eventually recovered his accounts, but only because he is specially connected to both companies who helped him out, as well as delivering his platforms. tech journalist
That is both sobering and problemati c, as few regular users have this kind of privilege and access. Like you probably are right now, I'm wondering what kind of hell everyone else would be in. Engadget reached out to both Twitter and Google for comment. We did not receive a response from Twitter by time of publication.
According to Google, victims of account hijacking should fill out this claim form. The company also posted information to mitigate SIM-swap attacks and hijacks in this letter October 2018 post about (the 2018) updates to Google's Security Checkup process and sign-in security. Google also indicates that SIM swapping will not compromise on a Google account that is protected by two-step verification
Furthermore, the company said a non-SMS two-factor method (like a YubiKey) was an option only if the attacker knows the victim's password. Google recommends Google Prompt or Google Authenticator, with physical keys as the strongest form of two-factor. Google also said that SIM swap attacks are rare and confined to specific targets, and that most people do not need two-factor stronger than SMS (text-based).
Needless to say, Google's email was a confusing response to the details we learned in the SIM swap attack and account hijacks experienced by Coonce and Miller. And I, for one, believe that saying most people are fine with SMS as their two-factor, that most people shouldn't worry about SIM-swap attacks, is too conservative to feel like safe advice.
Especially when we consider the context of two important things. First, we are hearing about SIM swaps more than ever and only from high-profile techies – we don't hear about what's happening to regular people. And secondly, there was a big breach which probably made an attack typically a high-effort, targeted attack, into much easier way to grab cash and steal accounts.
That T-Mobile data breach was actually a big deal  Coonce uses AT&T, while Miller uses T-Mobile and Google Fi. The SIM porting process for both networks has terrifyingly minimal security, both companies had customer pins exposed for an unknown amount of time in 2018, and T-Mobile suffered a fairly recent breach of all the info anyone needs to do a SIM swap attack.
According to AT&T documentation, all that is required for transfer is the information one could find on a recent cell phone bill: Account number, name of the account holder, billing address, and "pin or password if applicable" – noting that the minimum billing info is all that's required if someone "can't remember" their pin or password. It is the same for a T-Mobile transfer, just info on a bill, though they do not state if a password or pin is required at all.
In August 2018, T-Mobile was hacked and the billing information of 2.5 million customers were chairs. The company reassured press by stating no financial data was compromised – but I'll bet that wasn't the point. It was all that juicy billing information, with which attackers get way, way more by SIM porting and stealing people's phone numbers and accounts.
The day after T-Mobile's breach news, and researcher discovered that all T-Mobile and AT&T customer account PINs had been sitting there for an unknown amount of time exposed by website flaws.
Obviously, the SIM porting processes at both companies should have been made way more secure a long time ago – about the time we started to live our entire lives through our phones. But it became even more urgent for T-Mobile to do so after their massive breach. Yet they didn't, and we are here.
SOS – Save our SIMS