Google Fi hack victim had Coinbase, 2FA app hijacked by hackers

On January 1, a technologist who goes by the nickname regexer received an email saying he had successfully reset his account at the crypto exchange Coinbase.

Unfortunately — and worryingly — he had actually not requested a password reset. Regexer, who asked to be referred to by his online moniker for fear of being targeted by hackers again, quickly realized he was being hacked, and his attempts to log into his Coinbase to regain control were unsuccessful.

Soon after, he noticed he had no cell phone service. Then, his two-factor app, Authy, notified him that a new device was added to his account. After the hackers took control of regexer’s cell phone service, the hackers were able to reset the passwords on his accounts and intercept two-factor SMS messages. That allowed the hackers to take control of Authy, giving them the ability to use the 2FA codes created by the app, according to regexer.

This gave them a chance to break into even more accounts owned by regexer.

“Now I don’t know what the hell is going on. I am totally owned,” regexer told TechCrunch, recalling the incident.

Unsure what to do, regexer started changing passwords on his other important accounts that had apparently not been compromised yet. Then, on a whim, he turned airplane mode on and off on his iPhone. Somehow, after that, his cell phone service was restored.

Regexer isn’t sure if turning airplane mode on and off is what stopped the attack, but he is glad that it happened.

For weeks, regexer had no idea how he had been hacked. Then, on Monday, he received an email from his cell phone provider, Google Fi, informing him and all other customers that hackers had stolen some customers’ information, likely connected to the recent breach at T-Mobile.

Unlike for other customers, the email regexer received contained more detailed information about the hack he suffered weeks prior.

“Other data related to your Google Fi account also may have been accessed without authorization, such as a zip code, and the service/emergency address associated with your account,” read the email, which regexer shared with TechCrunch. “Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.”

Regexer said he has talked to two Google Fi customer representatives trying to figure out more details about what happened, but neither of them told him anything. And, interestingly, regexer didn’t see any evidence that his Google account, which is tied to the Google Fi account, was compromised. It’s unclear how the hackers were able to perform the SIM swap.

Google has not responded to a request for comment. And it’s not yet known if there were other people, or how many, specifically targeted by hackers the way regexer was.

While the attack was ongoing, regexer found out the hackers had also taken over his Outlook email account, and — smartly — in an effort to hide their actions, deleted the emails informing of the password reset.

Even though nothing else happened since January 1, regexer is still worried and is calling on Google to disclose more information.

“The main thing I’d like to know is whether I and others are still vulnerable, and if there’s anything we can do to protect ourselves. I’d love to know more details about the mechanisms that were used for the phone number takeover because that will shed light on the level of ongoing vulnerability and methods for defense, as well as whether SMS two-factor remains better than no two-factor at all. (I can replace SMS for some online accounts, but not all. Many banks and others only allow two-factor via SMS.) I’d also love to know how many people had their phone numbers hijacked in connection with the breach, and, if it was a small subset, was there any reason that we in particular were targeted,” regexer said.

“So unless Google sheds more light on the attack, there is a big open question about how vulnerable people’s phone numbers now are.”


Are you a Google Fi subscriber that was also a victim of a similar attack? Did you also get a personalized notification from the company about the hack against you? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.