In June/July 2019, Sprint discovered that hackers had exploited a vulnerability on Samsung’s ‘Add a Line’ promotional webpage — a co-branded retail portal used to add new Sprint lines to existing accounts — to access Sprint customer account information. Sprint reset all affected account PIN codes within three days of discovery and notified state attorneys general. Exposed data included phone numbers, device types, device IDs, customer names, billing addresses, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility status, and add-on services. This was Sprint’s second known customer data breach in 2019, following the March 2019 Boost Mobile credential stuffing incident. Sprint was acquired by T-Mobile in 2020 for $26 billion.