Boost Mobile Detected Unauthorized Activity on Customer Accounts

California-based Boost Mobile, founded in 2000 as a joint venture with Nextel Communications and now a Sprint subsidiary, has warned an unspecified number of customers about unauthorized online account activity on March 14, 2019.


An undated customer letter posted on the Boost Mobile website provides very little information beyond that "an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code." The implication is that the unauthorized person either already had the user's phone number and PIN code, or acquired it at the same time. There is no indication that Boost Mobile suffered a system breach with large quantities of phone and PIN numbers stolen.


However, with so little information provided, it is difficult to know exactly what happened. The notice merely says, "The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity." Again, it talks about unauthorized account activity rather than a system intrusion. 


It also says customers had been sent a temporary PIN code with instructions on how to change it to one of their own choice. If the March 14 incident referred to is merely unauthorized account activity on a limited number of accounts, then changing the account PINs would be enough to protect against further unauthorized activity. There is no indication in this statement of any large-scale data exfiltration by intruders, nor any suggestion that any customers' credit cards or social security numbers -- which are encrypted -- have been compromised.


The problem then becomes one of how did the attacker get hold of the users' PIN numbers, and is it a process that can be repeated against other customers? One option could b ..