Thank you I will look into that

very annoying now I don’t know how my Koodo prepaid SIM was changed again, twice in 2 minutes, Authy new device added in a minute, and email password changed again 2 minutes later

No email or SMS request to approve SIM change so I don’t understand how it’s able to be changed.

You know, you are not the first one to report this. One of the Mobile Masters has alerted Koodo.

Meanwhile, in addition to Authy, I highly suggest a password manager as well (I use Bitwarden). Change all your passwords to a random unique 20 digit password.

Did you get your prepaid account back? If not, you should contact Koodo immediately at koodomobile.com/prepaidchat

I can still log into my prepaid account, password wasn’t changed… I just changed it yesterday and now I’ve changed it again.. I’ve tried to chat with that bot and I get nowhere 

I think you may need to ask for an agent a few times to be able to schedule a callback. I think Koodo can manually block your account to prevent a future SIM swap. You don't have to if everything is well again, but it might give you more peace of mind.

Yeah it wanted to schedule a call back but unfortunately I don’t have access to a phone lol, just going to go to the koodo/Telus store when it opens in 3 hours 

You could also send them a DM on Facebook or Twitter. Not sure what the store can do for you. Good luck in getting it all sorted, no fun!

Jeremy - very sorry to hear this. I happen to be in *exactly* the same situation:

• Sim card was somehow swapped by the hacker on Saturday November 5th, 2022 in the middle of the night. 
• I did not receive any notifications or contacts from Koodo asking me if I authorize this. Just an email that it had already been changed. Which seem to be a very irresponsible policy or a major security oversight.
• The new sim was then used to access my Newton account and clean out every last cent.

Since then,

• I have contacted Newton (email, you can’t actually speak to anyone), but despite claims of fraud protection all over their website, they claim that nothing can done and that the money is gone. Interestingly, on their website is this: “We maintain various forms of insurance to cover off risk of loss or theft for our wallets”. I have written back pointing this out but have not received a reply yet. I don’t plan to let this go...
• I secured (for now) my Koodo account, and then later called Koodo back to see if they have more info on what happened. They claim that the only way to change a sim is via a customer rep on the phone or by logging into the Koodo website. They could not tell me how the sim was changed. They indicated that I should have received a message asking if I wanted to make the change before it was confirmed. However, I did not receive any messages and certainly did not authorize it. I just received an email that it was already done. This seems like a major error that resulted in very significant financial loss.
• Koodo rep stated that a form is being submitted to their fraud protection team and that they would contact me within one week. I did ask about compensation for Koodo security breaches and was informed to inquire about this when the fraud team contacts me. We’ll see where that goes…

Get in touch with me if you want to coordinate efforts with Koodo or Newton. Power in numbers perhaps?

@MattE 

Knowing what I know now, I would go out and buy replacement Koodo SIM card and swap the SIM number to that new SIM number. The rep gave me these basic instructions: re-enabled your suspended Koodo account, then go an update the SIM Number using your new SIM Number (it is printed onto the physical SIM card). Do the above steps close together of course, since once unsuspended, hacker has access to your phone.

After that, ask Koodo to credit your account back for the SIM. The rep credited my account $20 without me asking and told me to go and get replacement SIM card as my original won’t work after the swap but I don’t see why you can’t do that the other way around. Good luck.

A strong self-serve account password should suffice. Preferably, a lengthy password that consists of alphanumeric characters, symbols or hyphenated phrases. Changing the account security question also acts as a deterrent. It’s a good idea to change email account and online banking passwords. If possible, try using a different method for 2FA other than your phone number. Changing your phone number is another option.

Report the incident to the Anti-Fraud Centre.

From other posts, the attack begins by breaching the email address associated with your Koodo prepaid account. The hacker has no interest in your phone or has access to it. They’re after the information contained in the account which could lead to hacking other accounts using your credentials.

I’m not knocking the new SIM card approach, all ideas are welcomed. Though, I think when preventive measures are taken, this should deter account breaches and SIM swap attempts in the future. Password vaults are your friend. They store passwords and some include password generators, (Bitwarden).

Thank you for your patience as we are still investigating. We want you to know that Koodo takes the privacy and security of our customers very seriously.  In the meantime, in order to stay  safe - please log in to your Self-serve, put your phone on Lost/Stolen mode to temporarily suspend service and update your password.

I’ll be sending everyone, who mentioned having this issue, a private message with some more details. 

> A strong self-serve account password should suffice

The attack does not go through the self-serve account, so I’m now sure how you expect this to help. I don’t know the details of the breach, but my sim swap was absolutely not a result of someone getting into my prepaid account and swapping the sim there. There is some other avenue the attacker is hitting, presumably internal.

The EXACT same thing happened to my husband on Nov 6th. No one from Koodo is calling us back. Can an official Rep please message me?

This is very disturbing and I hope Koodo advises all their clients on what we should be doing to prevent this.

To the victims of this attack wondering if this is something you did wrong, Koodo / Telus security confirmed to me that it was indeed an internal security breach on Koodo’s side.

Apparently a customer service rep was tricked into giving out their credentials / login info, which was then used to perform the sim swaps. Further investigation is ongoing.

Needless to say, this is far from over and  we could see legal involvement.

If you guys are all on prepaid then follow these steps

Create an email strictly for Koodo
Change your name and address on your self serve account. (you can change it to whatever you like ie. Ice Cream, 420 High street)
Do Not use your personal email/password for the Koodo website
Do Not use a password manager(chrome, safari, etc. browsers
Do Not use your cellphone number as a 2fa for banks, PayPal etc

Convenience is the worst type of security out there. What is convenient for the customer, is convenient for the fraudsters 

Also for the customers using their real identities on this forum. that's priority #1 and the first steps to protecting yourself...

I am on prepaid.  I was the victim of an unauthorized SIM swap late last night.  I did not get a notification to approve the swap, just a random email stating the SIM swap had occurred.  

The fiend moved quickly to gain access to Newton and drain my crypto holdings.  I happened to be driving when the notification email came in, and did not block my phone (Koodo Prepaid self-service lost/stolen) fast enough to prevent the transfers.  Everything happened in about 10 minutes.

I had to wait until this morning for customer service to reopen to switch my phone number back to my original SIM.  I have not heard back from Koodo security (or Newton security) yet about any next steps.

Koodo customer service acknowledged this is a known issue…….

Newton can not recover funds.  Newton says under their terms of agreement the user is responsible for having a secure phone number.

The email reply from Koodo is below.  I have reached out to Koodo to followup and was told it will take 24-48 hours.

Dear valued customer,

Koodo understands how important your privacy is to you, and it’s just as important to us. We have taken measures to investigate and address a security incident involving your account. This notice explains what happened, what we have done, and what you can do.

What happened

Our investigation determined that your account was improperly accessed by an unauthorized party using stolen Koodo credentials. The unauthorized party completed a SIM Swap on November 20, 2022 .and may have viewed account information, including information provided at the time of activation which may include name, address, telephone number, SIM card number, last four digits of credit card and expiry date, and payment history.

It is possible that the unauthorized party may have been attempting to intercept 2 Factor Authentication or password reset codes sent via SMS to gain access to your online accounts (including those held at cryptocurrency and financial institutions).

What we are doing:

We will be reporting this incident to the Office of the Privacy Commissioner of Canada.

Koodo is completing a thorough review of our processes and implementing additional security measures. In addition, we have noted your account so when you call in to Koodo we may ask you more questions than usual to protect your account from unauthorized access.

What you can do:

We recommend that you:

Update all your existing passwords, and ensure you do not use the same username or password for multiple sites. Strong and unique passwords will help safeguard your accounts
Monitor all your online accounts closely for suspicious activity

Report to your local police if you have experienced any fraudulent activity
Contact Equifax at 1-800-465-7166 and TransUnion at 1-800-663-9980, to add a fraud alert to your credit file for added protection
Enable multi-factor authentication, use a third-party authenticator application or set up a password manager for all your online accounts
Do not register your mobile telephone numbers on online accounts and use an alternative method to receive One Time Passcodes or 2-Factor Authentication codes

We would like to offer you, at no cost, a five-year subscription to TELUS Online Security Ultimate, Powered by NortonTM, Canada’s most comprehensive identity theft protection product. This package includes the following features:

Device Security and Secure VPN
Dark Web Monitoring and Social Media Monitoring Full-Service Identity Restoration
Investment Account Activity Alerts
Bank & Credit Card Activity Alerts
Two-Bureau Credit Monitoring

If you wish to activate with TELUS Online Security Ultimate, Powered by NortonTM, or if you have any further questions, please contact us at 1-855-525-6636, Monday to Friday, 8 am to 5 pm EST/MST.

At Koodo, maintaining your trust is of utmost importance to us. We sincerely regret any inconvenience or concern this situation may have caused. The entire team at Koodo looks forward to continuing to serve you.

Sincerely,
The Koodo Team

So, Koodo has known about this for at least three weeks, but they have not notified customers, and it just happened again two days ago with Jadzia Dax above?

What is going on???

UPDATE (This was before I read the latest replies of so many others having this issue now.)

In the end I was pretty much brussed off and my orginal questions on how their 2 factor authentication not properly working and complatly being ignored now to any emails I send back. All I got was a email for a free norten security watch. So I have changed companies as I can no longer trust the security of Koodo/Telus systems  as nothing was fixed to solve my this security issue. It’s clear as day that there 2 factor was bypassed as:

1. I received no email authorization message or text before switching the SIM card. Not to mention it happening twice after I changed my passwords to my koodo profile before it happening a 2nd time. 

2. Doesn’t even matter if they had my password. It should be Impossible to get around 2factor as long as your 2fa device is secutre. Which is either text message or a email message. Which I know for sure my email is secure as I have google auth to log in and I checked my email security logs and no one else logged in. So they can’t brush it off as someone got into my email etc. I didn’t get a text authorization ahead of time and I can confirm that by going into my ussage logs and I see no text was sent before it happened. 

100. Koodo rep said it wasn’t from anyone calling in pretending to be me. It was done via koodo self serve because they would have a note on my account if it was. Well if it was a bad employee (This is a “what if”, not saying this is the issue) it’s not like they are going to leave a note. 

Funny enough even when I put my phone in lost and stolen mode another unothorized sim swap happed again. Went from Stolen Sim to another Stolen Sim lol.  It’s like there system is completly been compromised. I’m not making this up. I have been a network security admistrator for the past 15 years. I’m not a clueless senior that knows nothing about security or tech. If anything I’m way more security conscious then the average user. Koodo doesn’t even have a security page to check who logs into your profile etc like most online companies do. I get it’s a budget cell company but the lack of security is shocking. I’m pretty much getting “We have no idea whats going on” and thats it. I’m jist I’m getting is “We asked some tech people and they say 2fa is working”.  Wonderful!, if I try to do a sim swap too yes the 2fa is working as well. The issue is when JOE BLOW scammer does it, then it doesn’t work and that’s what I keep telling them. I don’t care if it works most of the time. It for sure isn’t working when the scammer does it. Don’t they have logs of their 2fa? Can’t they go see that no email or text message with a authorization code was sent? I check security logs for my job weekly, why wouldn’t a company this big have this?? Anyway my emails are now not being answered and I’m still in the same boat. All I got was go ahead and report it to the government and remember to change your passwords bla bla bla which isn’t the dam issue. They are still ignoring the problem that 2fa in koodo/telus system for a sim swap is being bypassed in my case (Wouldn’t be surpised if it’s happening to others). Anyway super frusterated. Been a koodo prepaid and post paid user for years but I’m now with another carrier without issues with a new number. I have had maybe 5 other users private message me with the same exact problem. Some as almost the exact same timeframes as well. Some had the issue where their email was compromised first (Then that is the issue in their case) and others like me where they didn’t have compromised email for their 2fa.

Another advice tip in the email they sent was to use 2fa for all your services. Yes already had that before this happed in the first place and it saved me from the scammer getting into my email even with my phone number. Also got we will make sure if anyone calls is that we ask for more security questions. Wonderful again but I don’t know how this will help, as they are saying the unauthorized sim swap happens from someone logging into my koodo self serve so none of these extra questions helps in this case.  

Funny thing is they don’t even allow google auth or any other 2fa method for koodo self serve so you can’t even do that for them. The only 2fa they have is for authorizing the sim swap. Which you heard me complain now many times that it hasn’t worked properly in this case. So I’m done as all the security advice I’m getting is not related to the real issue going on. I’m not going to go spend $10 every week to go get a new sim card (Old ones can’t be reused) because nothing has been actually fixed as far as I can tell to actually stop this issues. Do you think I want to call in and wait for weeks every time this happens just to be brushed off with the basic advice to change your password etc as we ignore the real issue? Not to mention my phone being disabled everytime this happens. I have spend hours explaining this to Koodo reps and Koodo privacy Reps as it is an odd case. I have went above and beond to explain this issue (Probably because I’m a security nerd myself) Most users I think would just give up and change companies long ago if they kept happening to them.  

Would have been nice getting some answers to the questions I already sent into their privacy team which was: 

1. Did you see any other ip addresses logging into my self serve account.

2. Do you have any logs showing when the scammer did the unauthorized swim swap to see if I got a text or email for the 2fa authorization ahead of time (I gave them dates and times when it happened). This would prove that 2fa is or isn’t being bypassed somehow.
3. If an issue was found was it actually properly fixed.
4. Can you add security options like Google authenication 2fa app to log into accounts etc. 

This is extremely disturbing.

Koodo what say you?

@Martin Weiss

It seems that it’s crypto users who are having these issues. My question is how does one keep gaining access to the new passwords? I honestly believe that changing providers isn’t going to solve your problem. this hacker has access to your device or something else. i would check and re-check your apps that are installed. Your identity is compromised… i believe whatever provider you’re with, as long as it’s under your name, you will always have trouble…  

We understand the frustration that impacted customers are feeling, and want to let you know that we are actively investigating. We are working hard to get to the bottom of this, and apologize for any inconvenience caused. In the meantime, our privacy team is making every effort to contact affected customers directly. 

@Jadzia Dax  - Please expect a call from a member of our privacy team to help support you today.

Thank you for everyone's patience as the investigation continues.

Got an email from Koodo over a couple of weeks ago saying that for my troubles they are giving me free subscription to Telus’s Norton Security for 5 years. I finally got around to calling the number in the email, I get a automated replying that sent me a text link that tries to initiate a bot chat. I had to jump through some hoops to get the auto chatbot to “call back” as it asked me to login which I did but that gets into loop. I eventually, had to tell the chabot that I can’t login. After scheduling the call back, I got to talk to someone but they tell me that the offer does not apply to me as I am a prepaid customer! Why did they even send me that email. This is adding insult to injury!  Did anyone else get email below?: