Telus-owned Koodo Mobile has suffered a data breach after their systems were hacked and customer data from August and September 2017 was stolen by the attackers.

According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.

"What happened: On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised," the email stated.

This information can be used by scammers to port Koodo Mobile numbers to attacker's devices to receive 2-factor authentication codes, which could allow attackers to gain access to email and bank accounts.

To prevent this, Koodo has enabled the 'Port Protection' feature on the affected accounts, which prevents attackers from porting a Koodo Mobile number to another carrier unless the account holder first calls and requests it to be done.

Koodo customer data being sold online

The email goes on to say that Koodo Mobile has found evidence that the stolen customer information is being sold online, but feels their Port Protection feature will protect their customer's mobile number from being used for fraudulent purposes.

"We have found evidence that the unauthorized third party is offering the information for sale on the dark web. With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to Law Enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter," the Koodo notification warned.

They then contradict themselves later in the notification by saying that affected users should not use their mobile number for two-factor authentication due to this data breach.

"We also recommend that you not register your mobile telephone number on online accounts. If you have done so, you may want to remove it and use an alternative method to receive One Time Passcodes or 2 Factor Authentication codes," the email continues.

Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.

"A different market - one that specializes in automated selling of access to compromised accounts - currently offers over 21,000 Koodo accounts," Laeb told BleepingComputer.

Koodo Accounts for sale

Source: KELA

"As can be seen in the image in the third from the right column, this market also indicates the date in which the account was uploaded. Breaking down accounts scraped from the market by date, we can see an uptick in February," Laeb explained.

Monthly amounts of Koodo accounts sold online

Source: KELA

Unfortunately, with the amount of information leaked by data breaches, it may be too easy for an attacker to find enough information online about a particular customer so that they can bypass the Port Protection feature.

Due to this, it is strongly advised that you use another 2FA method for securing online accounts.

Otherwise, you may run into a similar problem as the one reported by this Koodo customer in the past.

Affected users should also be on the lookout for mobile SMS phishing (smishing) scams that pretend to be Koodo and utilize information obtained from this breach.

Update 3/7/20: Added information about Koodo accounts being sold online.