Security

It was totally Samsung's fault that crims stole your personal info from a Samsung site, says Samsung-blaming Sprint

Just in case we've not made ourselves clear, Samsung screwed you over, adds Sprint

By Shaun Nichols in San Francisco

9 SHARE

Sprint has told some of its subscribers that a piss-poor Samsung website exposed their personal details to the internet.

The North American mobile carrier is right now sending out letters (PDF) to unlucky customers whose account and device details were leaked onto the web thanks to, apparently, dodgy Samsung coding and miscreants.

"On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com 'add a line' website," Sprint wrote in its missive to aggrieved subscribers.

"The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services."

Here's what happened: fraudsters somehow obtained and used some Sprint customers' account information to log into the Samsung add-a-line website and, from there, gathered additional personal details on Sprint accounts. Add-a-line is or was, from what we can tell, a means to add additional services to your phone's postpaid monthly voice plan.

PIN pointed

The disclosure notice did not specify whether those Sprint customer details were used for any further shenanigans, but Sprint did say it was resetting customer PINs in at least some cases. The carrier did not say how many of its customers were affected.

"No other information that could create a substantial risk of fraud or identity theft was acquired," Sprint added.

Samsung, for its part, admits its site was the source of the leak, but said the credentials used by the attackers were gathered elsewhere.

"Samsung takes security very seriously. We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung," a Sammy spokesperson told El Reg.

"We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts.”

While Sprint did not say it would be offering any identity protection services, the carrier is advising customers to keep a close eye on their accounts and consider placing a credit fraud alert and notifying authorities if any suspicious activity is found. ®

Sign up to our NewsletterGet IT in your inbox daily

9 Comments

More from The Register

Congress to FCC: Where’s the damn report on mobile companies selling location data?

Energy and Commerce Committee Democrats not happy with Ajit Pai

Stop us if you've heard this one: Aussies probe Google over misleading location stalking claims

The case certainly rings a bell back in Europe

What was that P word? Ah. Privacy. Yes, we'll think about privacy, says FCC mulling cellphone location data overhaul

Analysis Commissioners still doing their best to ignore bounty hunter stalking scandal

FCC's answer to scandal of AT&T, Sprint, T-Mobile US selling people's location data: Burying its head in the ground

Congressman warns telco regulator: Must Pai harder

FCC proudly wastes $90m getting data-capped, pricey satellite internet to tiny percentage of US population

On the plus side, this saves cable companies the hassle of laying down fiber

Bloke hurls sueball over Google's 'is it off yet?' location data slurping

Ad giant 'intentionally complicated' opt-out systems

US lawmakers furious (again) as mobile networks caught (again) selling your emergency location data to bounty hunters (again)

Analysis Privacy advocates stunned that explicit rules ignored, blame head of FCC

Apple: Mysterious iPhone 11 location pings were because of 'ultra-wideband compliance'

NVM, we'll give you a toggle to deactivate UWB... in the future-ture-ture

Where's our data, Google? Chrome 79 update 'a catastrophe' for Android devs with WebView apps

Updated 'Unfortunately local storage was missed off the list of files migrated'

Tracking President Trump with cellphone location data, Greta-Thunberg-themed malware, SharePoint patch, and more

Roundup Including: Nasty Mac malware and gas-pump infections

Whitepapers

Reduce Redis Enterprise Deployment Cost, Complexity with Intel Optane DC Persistent Memory

Intel has prepared this Optane DC persistent memory kit to help you reduce Redis Enterprise deployments cost and complexity with 2nd generation Intel Xeon scalable processors and Intel Optane DC persistent memory.

Guide to Antivirus (AV) Replacement

This guide provides in-depth information from leading security experts that will guide you through each phase of your decision-making process.

SANS Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

Download this 18-page asset to learn how the most effective threat hunters generate hypotheses, maximize the value of their security tech stacks, and more.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.