Vodafone’s ‘ho. Mobile’ Had a Catastrophic SIM ID Leak
- ‘ho. Mobile’ had a data breach that they failed to detect or disclose when it happened.
- The result was the leak of SIM card ICCID codes, which would be very useful for SIM swap actors.
- The database was already posted for sale on the dark web, and at least one person has bought it.
Italian low-cost mobile operator and ‘ho. Mobile’ belonging to Vodafone Group is investigating a severe data leak incident that has exposed crucial SIM data that could enable SIM swap actors to compromise about 2.5 million subscribers. For now, and as a response to the risk, the operator is offering free SIM card replacements to all of the affected individuals and circulating notifications to inform the people of the unfortunate event.
The discovery of the incident came when Twitter account ‘Bank Security’ posted the news about a new dump that appears to belong to ‘ho. Mobile.’ The dump seller claimed to hold PII, phone numbers, SIM ICCID, email addresses, physical addresses, birth dates, and fiscal codes.
The selling price was set to $50,000, and it is believed that at least one person purchased the entire database. The seller may break up the data into smaller chunks later on, selling them to more users for less.
Several researchers tested samples of the data by contacting random people, so the validity has been confirmed. At first, ho. Mobile stated that they saw no definitive proof of a leak affecting them or their customers, and an initial investigation allegedly yielded no evidence of massive access to their systems that could have jeopardized customer information. Since they’re offering SIM replacements now, we guess that they have silently accepted the legitimacy of last week’s reports.
If you’re a ho. customer, the first thing that you could do is to purchase a new SIM from another operator and change all your 2FAs to the new number. Second, you may contact ho. at ‘192121’ or ‘800688788’ to ask for more information about how this incident affects you in particular. And third, you should report the incident to the Italian data protection office so that further steps may be taken. It appears that ho. Mobile - and by extension, Vodafone - hasn’t optimally handled this incident.
With precious time lost from the discovery to the circulation of notices, the risk of SIM swap is real. If you have no signal on your smartphone or your SIM appears to have been deactivated, it means hackers already got you. The 19-digit ICCID codes that have been leaked are the SIM’s unique identifiers, so it would be the first thing that swappers could have asked for.