Panda SecurityIn a brazen attack, cybercriminals managed to hijack Mobile Commons. The company is a mass text messaging service provider that also serves as an official text alert system for the state of New York. A company spokesperson told NBC News that the hackers gained control of the sensitive system through either a spear-phishing attack or a similar social engineering method. The fraudsters sent a spam text to approximately 200,000 people referencing a transaction that never occurred. The text also provided a phone number for New Yorkers to call if they needed more details. The hackers had control of the sensitive mass text system for about four hours before the malicious activity was detected and terminated. Immediately after the breach was discovered, Mobile Commons sent a follow-up message. The message notify recipients that the initial message had been flagged as spam.
Key takeaways
- Mobile Commons, a New York state-approved mass messaging service provider, experienced a security breach on November 10th, 2025.
- There is no definite number of how many people fell for the trap. But according to a New York state spokesperson, nearly 200,000 people received the malicious message from the hackers.
- Hackers sent messages from the official number to subscribers of New York state. They sent messages to a charity organization, and a progressive political organizing group called Fight for a Union.
- The attack confirms that even heavily regulated companies with access to white-label short code phone numbers can fall victim to hackers and make mistakes.
The New York official text alert hack explained
Earlier this month, on November 10th, 2025, approximately 200,000 Americans received fraudulent text messages from a legitimate number. The number was operated by Mobile Commons, a mass text service provider. Instead of a valuable public service announcement, the text contained details of a nonexistent transaction and encouraged people to reply and call a 888 number. Although hundreds of thousands of people received spam texts, the messaging platform stated that hackers were unable to access customer or subscriber data directly. The company did not report any ransom requests from the bad actors either.
How did the hackers gain access, and who is behind the attack?
They managed to get in through a social engineering attack. Hackers tricked someone at the organization into opening a loophole that would eventually allow them to get control of the mass text service. It is currently unknown which hacker organization is responsible for the attack. The fraudsters probably act independently and do not receive support from any state; they are money-driven cybercriminals. They did not attempt to cause mass panic, but instead pushed a relatively common scam. The cyber incident demonstrates that even companies heavily regulated by the government can still become victims of a cyberattack.
Are government mass text mishaps uncommon?
There are numerous examples of things not going well during emergency alerts and mass communications. The most recent mishap happened just a day after the security incident in New York. On Veteran’s Day, approximately ten million people in California received a text emergency alert from the city of South Pasadena. They were not supposed to receive. The smartphones of almost half of the population in the Greater Los Angeles Area were buzzing for no apparent reason due to human error. Luckily, the emergency message did not contain spam but was just a test. The spokesperson for the city of South Pasadena confirmed that city officials did not intend the test alert to reach that many people.
Cyberattacks and human errors are not uncommon. Hackers rarely succeed in hacking legitimate text message operators. However fraudsters are always looking for ways to monetize and try to hijack anything that gives them access to a broad audience. They target everything from social media accounts of celebrities and companies to government-used mass text distributors. Approximately 3 out of 4 Americans have experienced online spam or phishing attacks. And one of the best ways to stay safe is to have the protection of a tier-one antivirus software. Spammy texts sometimes end up on people’s smart devices in the form of emails and texts. But such messages rarely make it past top antivirus filters.
