U.S. telecommunications company Sprint Corp. has been hacked with an unknown number of accounts compromised, but in a twist, the company is blaming Samsung Electronics Co. Ltd. for the data breach.

Affected customers were informed of the hack via email today, weeks after the hack was detected June 22. Data stolen in the hack included phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services.

Passwords and other data that Sprint describes as creating “a substantial risk of fraud or identity theft” were not stolen.

Sprint added that it had “taken appropriate action” to secure all accounts and is yet to detect any fraudulent activity relating to the hack. Affected customers have been forced to reset their Sprint PINs as a precaution.

The hack is alleged to have come via the Samsung “add a line” website. Samsung does sell phones directly from its website in the U.S. whereby customers can subscribe to Sprint, but how Sprint customer data was compromised by Samsung is not entirely clear.

A spokesperson for Samsung told CNET that it had “recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung,” and that it had “deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts.”

“Sprint’s breach could not come at a worse time for the company, Jonathan Bensen, chief information security officer at cybersecurity platform Balbix Inc. told SiliconANGLE. That’s because it recently announced a $26.5 billion merger agreement with T-Mobile in an attempt to take on wireless leaders Verizon and AT&T in a bigger way.

“If the two enterprises do merge, it is critical that the pair implement security solutions that scan and monitor all T-Mobile and Sprint-owned and managed assets as well as all third-party systems to detect vulnerabilities that could be exploited,” Bensen said. “Proactively identifying and addressing vulnerabilities that would put them at risk, such as the Samsung.com threat that lead to this breach, is the only way to stay ahead of future breaches and avoid litigation, fines under data privacy laws, retain brand image, increase the organizations’ market share and beyond.”

Anurag Kahol, chief technology officer at cloud security access broker Bitglass Inc., noted that the breach leaves Sprint customers vulnerable to identity theft and fraudulent activity.

“When armed with payment card information and personally identifiable information, malicious parties can engage in highly targeted phishing attacks, make fraudulent purchases, sell said data on the dark web for a quick profit, and much more,” Kahol said. “While Sprint has resecured all compromised accounts by resetting PIN codes, it is still unknown when hackers first gained access to the customer accounts, and what damage may already be done.”

Photo: jeepersmedia/Flickr