Hacker News new | past | comments | ask | show | jobs | submit login

Interesting... I had something similar happen to me, with minimal outward, acute damage (e.g., running up bills on random credit cards). It is reasonable to assume my entire identity is compromised. Sorry this happened.

How do you know T-Mobile was the entry point, and not say, Google (e.g., Google Chrome, Google Ads)? What type of phone did you have (e.g., Android or iPhone)? What is your browser and Search Engine on your smartphone?

Thanks!




I assumed it was T-Mobile after I wiped the phone and had the follow-up incident where a verification code via SMS was successfully verified.

I used an iPhone, Safari mobile, Google search engine.


There's also this giant vulnerability with Apple Webkit, across all devices, that was patched 13 February 2022: https://9to5mac.com/2023/02/13/macos-13-2-1-webkit-security-....


SMS in unencrypted, and Google SE has been compromised for much if not all of 2022. From what I can tell the issue persists. I officially reported it in December, and again in January, and again in February. Pretty wild, TBH. Think about the number of services that have Google SE and Ads integration. Makes me nauseous.

Did you happen to report to Apple and Google (for documentation)?


In what way is the google search engine compromised?


Ways which I shared with Google, because it's a very serious privacy and security vulnerability.

We need more robust security integration to catch things before they are pushed to results. I understand latency will increase, and some ads revenue will decrease. But like, isn't it also cool to have a customer base that is better protected against egregious attacks, attacks that could be prevented? IMO, yes. It's called "stewardship."




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: