In another major security incident affecting Iran's telecommunications sector, hackers have gained access to the customer database of Mobile Communication Company of Iran (MCI), also known as Hamrah-e-Aval, the country's largest mobile operator. This breach follows previous incidents, including the Irancell hack from several years ago, establishing a concerning pattern of data security vulnerabilities in the country's telecom infrastructure.

Our investigation, based on direct evidence and information from the hackers themselves, reveals that the breach exposed highly sensitive personal information of millions of Iranian citizens, raising serious privacy and security concerns.

To verify the legitimacy of the breach, we requested sample data from the hackers for an individual affiliated with Sahab Pardaz, a company sanctioned by the United States for violating human rights in Iran. This particular individual is responsible for filtering proxies, VPNs, and internet censorship in Iran (مسئول پالایش پراکسی‌ها، وی‌پی‌ان‌ها و سانسور اینترنت در ایران). The data provided was confirmed to be accurate, containing detailed subscriber information.

The scope of the compromised data is extensive. The hackers gained access to MCI's comprehensive customer database structure, which contains detailed records including personal identifiers such as full names (first, middle, last names), customer IDs, and customer codes. The breach also exposed contact information including mobile phone numbers, home phones, office phones, fax numbers, and email addresses.

Technical data exposed in the breach includes ICCID (SIM card identifiers), IMSI numbers, network types, and subscriber IDs. The structure of the data suggests the breach exposed both active and historical customer records, potentially affecting current and former MCI subscribers.

Below are just partial samples of the compromised fields - the full records are much more extensive and include sensitive details such as home addresses, complete identity documents, personal contact information, and other private data as outlined earlier in this article. We've also redacted portions of the identifiers for privacy reasons:

First subscriber sample (partial fields only): The data shows a SIM card with identifiers ICCID: 8998112900065620*** and IMSI: 432112965620***, phone number 9104484*** (Iranian mobile format), account type "دائمی" (Permanent/Postpaid subscription), and account status "فعال" (Active). The activation date was April 2015 (Unix timestamp: 1430636820000), with brand "MCCI اعتباری" (MCI Prepaid service converted to postpaid). The SIM card has been changed at least once (haveChangeSimCard: "1") and the preferred language is Persian.

Second subscriber sample (partial fields only): This record contains SIM card identifiers ICCID: 8998113900007185*** and IMSI: 432113907185***, phone number 9177065*** (Iranian mobile format), account type "دائمی" (Permanent/Postpaid subscription), and account status "فعال" (Active). The activation date goes back to November 2005 (Unix timestamp: 1130619300000), with brand "MCCI دائمی" (MCI Permanent/Postpaid service), preferred language Persian, and plan name "طرح پیش فرض اصلی سیم کارت دائمی" (Default main plan for permanent SIM card).

We observed that when Digiato.com, a technology website in Iran, first reported on the data breach, they faced significant pressure from both the Iranian regime and MCI officials. This pressure resulted in the removal of the article, raising concerns about transparency and the public's right to know about security incidents affecting their personal data.

This data breach occurs against a backdrop of extensive digital surveillance and information control in Iran. Telecommunications companies like MCI are closely working with intelligence services in the country, with telecommunications data frequently used for monitoring citizens. According to sources, these telecom providers have even facilitated ways for security services to intercept two-factor authentication (2FA) SMS codes without the mobile phone owner's knowledge, allowing covert access to citizens' online accounts. The breach has now made public the inner workings of this surveillance infrastructure and exposed the personal data of millions of Iranian mobile users.

At the time of publication, MCI has not issued any public statement acknowledging the breach or taking responsibility for the data exposure. Instead, they have focused on pressuring journalists in the country to remove articles about the breach, threatening to block websites that report on the incident. The company has also not provided affected customers with any guidance on how to protect themselves following this major security incident.

In the context of Iran, this exposed data could primarily be used for financial fraud within the country. However, outside Iran's borders, the same information could serve entirely different purposes, including intelligence gathering and profiling of Iranian citizens.

The hackers told us that MCI was using Oracle database technology, and importantly, the information was not hash-encrypted. They noted the presence of surveillance-related database fields such as "securityFlag", "hiddenFlag", "attachSecretMark", and "isRecordTrace" within the database structure.

Interestingly, the breach also revealed that MCI's databases contained records from citizens of other countries, including 1,935 records from Turkey, 218 from Australia, 848 from China, and others. According to the hackers, the compromised data includes approximately 30 million unique subscribers and 61 million phone numbers in total.

If you work for MCI or have additional information about this breach, you can message me on Telegram or send me an email. Your identity will be protected.

Address of the hacking group on Telegram: https://t.me/ShadowBitsOfficial