Koodo Mobile's Data Breach Notification: Customer Accounts and Data Sold on Dark Web
Koodo Mobile, a Canadian mobile flanker brand started by Telus in 2008, has announced customer data has been breached and is now being sold on various Dark Web websites.
Koodo is mostly oriented toward younger customers and differs from its parent Telus by not requiring a fixed term contract. Koodo currently provides postpaid, prepaid, and wireless home phone services.
According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.
"What happened: On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised," the email stated.
According to BleepingComputer, this information can be used by scammers to port Koodo Mobile numbers to attacker's devices to receive two-factor authentication codes, which could allow attackers to gain access to email and bank accounts. To prevent this, Koodo has enabled the 'Port Protection' feature on the affected accounts, which prevents attackers from porting a Koodo Mobile number to another carrier unless the account holder first calls and requests it to be done, says the news report.
"We have found evidence that the unauthorized third party is offering the information for sale on the dark web," continued the email. "With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to Law Enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter," the Koodo notification warned.
However, BleepingComputer notes that they then contradict themselves later in the notification by saying that affected users should not use their mobile number for two-factor authentication due to this data breach.