US and British intelligence agencies hacked into a majormanufacturer of Sim cards in order to steal codes that facilitate eavesdropping on mobiles, a US news website says.
The Intercept says the revelations came from US intelligence contractor turned whistleblower Edward Snowden.
The Dutch company allegedly targeted - Gemalto - says it is taking the allegations "very seriously".
It operates in 85 countries and has more than 40 manufacturing facilities.
The Intercept says that "the great Sim heist" gave US and British surveillance agencies "the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data".
It says that among the clients of the Netherlands-based company are AT&T, T-Mobile, Verizon, Sprint and "some 450 wireless network providers around the world".
Full investigation The Intercept alleges that the hack organised by Britain's GCHQ and the US National Security Agency (NSA) began in 2010, and was organised by operatives in the "Mobile Handset Exploitation Team". Neither agency has commented directly on the allegations.
However GCHQ reiterated that all its activities were "carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate".
How does the hack work?
Each Sim card has an individual encryption key, installed by the chip manufacturer, that secures communications between the handset in which it inserted and mobile phone masts.
This means that if anyone were to snoop on conversations or text messages, they would receive garbled, unintelligible data.
That is, of course, unless those carrying out the surveillance get hold of the encryption key. With that information, they can even decrypt previously intercepted communications.
However, this tactic only works for phone conversations and text messages. Communications through mobile applications such as Whatsapp, iMessage and many email services have separate encryption systems.
The stolen encryption allowed the agencies to decode data that passes between mobile phones and cell towers. They were able to decrypt calls, texts or emails intercepted out of the air.
A Gemalto spokeswoman said the company was unable to verify whether there had indeed been a breach, and highlighted that other Sim manufacturers could also have been targeted.
She added: "We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated techniques to try to obtain Sim card data".