If you're with Belong Mobile in Australia, you might want to check your account security right about now. Multiple customers are reporting sophisticated, coordinated cyber attacks that started with mysterious data gifts and ended with compromised bank accounts.

Here's how it went down, according to detailed accounts posted on Reddit: Three housemates in Australia, all using Belong, received identical "gifts" of 1024MB of data from the same unknown number on April 26. Weird, but not immediately alarming.

Then the real attack began. One victim received a text and email saying changes had been requested to her account - changes she never made. While she was on the phone with Belong reporting it, she received another message with a verification code for an unauthorized SIM swap.

The company told her the account would be marked as "suspicious." Then, while still on the phone with support, her SIM was successfully swapped and her phone service cut off at 3:30pm.

For the next hour, emails flooded in: her bank, Google account, PayPal, and Afterpay had all been compromised. The attackers changed her passwords and email addresses, locking her out completely. It took a week to regain access to most accounts. Her main Google account is still in the hands of whoever did this.

Ten days later, the second housemate got hit with the exact same attack pattern. This time she moved faster to disable the phone number verification, which stopped the attackers from fully locking her out of accounts. Through her Google account, she could see an active session in Victoria - they're nowhere near there - with a new Victorian address attached.

The third housemate, who posted the warning, changed their account email as a precaution. It took two minutes and the only verification Belong required was date of birth (easily found online) and a security code sent to the phone number - which would be useless if the SIM was already swapped.

Mate, this is shocking security for a major telco. Belong is owned by Telstra, one of Australia's biggest telecommunications companies. If their verification process is just DOB and SMS codes, they're basically handing over the keys to anyone who can social engineer their way past a call center.

The pattern suggests a coordinated attack exploiting systemic vulnerabilities: the identical data gifts, the timing on weekends when victims have less recourse, the rapid progression from SIM swap to account takeover. This isn't some random phishing scam - it's sophisticated and repeatable.

SIM-swapping has become a major vector for identity theft because once attackers control your phone number, they can bypass two-factor authentication on banking and email accounts. And if your telco's security is weak enough, it's disturbingly easy.

Belong customers should immediately enable additional account security, consider switching providers if possible, and definitely not rely on SMS-based two-factor authentication for critical accounts. Use authenticator apps instead.

The bigger question is what Belong and the broader telco industry are doing to fix these glaring security holes. Because right now, the attackers seem to be winning.