Subscribers of Google’s prepaid wireless service Google Fi may have been impacted by a data leak involving the service’s wireless network provider, T-Mobile.
Earlier this month, T-Mobile began notifying customers that a person or group misappropriated an application programming interface (API) to collect non-personal information about millions of subscribers, including those who pay for prepaid service.
The incident was a data breach in the conventional sense — no serious personal information like passwords, credit card numbers or Social Security numbers were collected — but a limited amount of information like e-mail addresses and subscriber names that T-Mobile typically provides to marketers was collected.
The API leak started in November 2022 and lasted until T-Mobile shut off access in early January, the company affirmed. At the time, it seemed like the only customers impacted were those who subscribed to T-Mobile or its prepaid subsidiary, Metro by T-Mobile.
Now, it appears the information collected might have also impacted wireless network resellers, called mobile virtual network operators (MVNOs), that sell service that runs on top of T-Mobile’s network.
Google Fi is one such MVNO, and it began notifying some customers this week that non-personal data was collected as part of a security incident involving their “primary network provider” — which would be T-Mobile.
“We’re writing to let you know that the primary network provider for Google Fi recently informed us there has been suspicious activity relating to a third party system that contains a limited amount of Google Fi customer data,” the letter sent to customers read.
Google Fi said the information collected by the person or group was largely used for support purposes, and contained a limited amount of data, including the date customers started service, their SIM card serial number and whether their account was active or inactive.
“Our incident response team undertook an investigation and determined that unauthorized access occurred and have worked with our primary network provider to identify and implement measures to secure the data on that third party system and notify everyone potentially impacted,” the letter continued. “There was no access to Google’s systems or any systems overseen by Google.”
Google Fi reaffirmed that no passwords, credit card numbers or other sensitive information was affected, and customers don’t need to change their account passwords or cancel their credit cards as a result of the data leak. The company said Google Fi service continues to work as normal.