Contact Us

T-Mobile Data Breach: What You Need to Know

Rosemarie O'Connor

August 26, 2021

Endpoint Security
Business man using a cellphone (focus on cellphone)

On August 16, 2021, wireless carrier T-Mobile confirmed a data breach affecting nearly 50 million of its past, present and potential customers. The number could rise as more information comes to light. It’s not the first time the carrier has been breached in recent years. However, this is the largest.

Who is T-Mobile?

T-Mobile is the second-largest wireless carrier in the US by subscriber numbers, behind Verizon and slightly ahead of AT&T. In its most recent annual report, the company indicated it had more than 100 million customers. Deutsche Telecom is its largest shareholder.

How Was the Breach Discovered?

Vice’s Motherboard discovered a post on a dark web forum that claimed to be selling confidential data belonging to more than 100 million individuals. At around the same time as Motherboard’s reveal, the Twitter account und0xxed started to tweet details of the breach.

In their conversation with Motherboard, the seller alluded to the data coming from T-Mobile servers. From samples the seller shared, Motherboard confirmed that it indeed contained accurate data on T-Mobile customers. The seller was asking for approximately US$270,000 in bitcoin for a subset of the data. 

What Data Was Stolen?

The information included names, dates of birth, Social Security numbers, drivers’ licenses, government identification numbers and T-Mobile prepaid PINs. The bad actors selling the information claimed the stolen data included IMEI and IMSI numbers but the wireless carrier is yet to confirm this.

T-Mobile says at present, it has no indication that personal payment or financial information, debit or credit card information, account numbers or account passwords were part of the breach.

Who Was Affected?

T-Mobile initially said the hackers made off with personal information belonging to just under 50 million individuals overall. These included 40 million past and prospective customers, 7.8 million existing postpaid customers and 850,000 current prepaid customers. 

The company later updated the figures a few days later after discovering an additional 5.3 million customers were affected. This brings the total to more than 53 million. The number could go up even further as the investigation continues. 

How Did the Breach Occur?

Preliminary findings indicate that the attackers used an open access point to steal the data. The investigation is ongoing so at the point of this post’s publishing, it is not completely conclusive how the hackers gained entry and who was behind the cyberattack. 

Who Was Responsible?

The attacker remains unknown. Twitter account und0xxed claimed the elusive hacker IntelSecrets was involved in the breach. IntelSecrets has in the past taken credit for a modification of the Mirai botnet source code and subsequent selling the new variant (known as Satori) to bad actors.

How Do You Know If You Are Affected?

The company’s CEO tweeted that affected individuals can expect to hear from T-Mobile soon. That being said, even if the wireless carrier does not contact you, that does not mean your information is safe. 

In their interaction with Motherboard, the sellers claimed the attack affected all of T-Mobile’s 100+ million customers. So whether you are a present or past customer, or if you have applied for the service in the past, tune-up your data security just in case.

What Are the Risks Associated With the Breach?

The hack was discovered when someone tried to sell the data on the dark web. This shows there’s a lucrative market for stolen data. The information is a gold mine for identity thieves and digital fraudsters. Bad actors could use the data to hijack an existing T-Mobile account or create a new account (whether T-Mobile or another service) in the affected customer’s name.

In particular, with PINs potentially falling in the wrong hands, there is a real risk of SIM swapping. Fraudsters can call T-Mobile customer care and request that your phone number be switched to a new device and SIM card. With that, bad actors can effectively take over your phone number and all that it comes with. 

Cybercriminals could for instance use your phone number to obtain login details and multi-factor authentication information for online accounts where you have registered with the phone number. They are effectively a couple of clicks away from logging into your email, social media and bank accounts.

What Has T-Mobile Done to Mitigate the Risks?

  • T-Mobile says it identified and closed the access points it believes hackers used to gain entry. The seller Motherboard talked to confirmed this.
  • The hackers stole prepaid PINs belonging to 850,000 customers. T-Mobile reset these shortly thereafter to protect the carrier’s customers. Customers can also dial 611 to change their PINs.
  • The company has set up a webpage to help affected customers protect themselves from potential cybersecurity threats. Resources include identity theft protection (free for two years), scam-blocking protection and account takeover protection.

What Should You Do If You Are Affected?

  • Change your PIN and account password. It doesn’t seem password information was compromised in the breach. Nevertheless, err on the side of caution. This is especially important if you use the same password on your T-Mobile account as you do on other systems. Better yet, instead of having the same password across multiple platforms, consider using a password manager to more efficiently keep track of multiple unique logins.

  • Enable Multi-Factor Authentication (MFA). With MFA, one has to provide more than just a password to sign into financial, social media and other online accounts. If bad actors have your password, they won’t be able to sign into the system.

  • Delete or disable dormant accounts. The T-Mobile data breach is a reminder that, in the hands of bad actors, your dormant and unused accounts can still be used for criminal ends. To mitigate the risk, search for the phrase ‘new account’ or ‘welcome to’ in your email inbox and see the list of websites you may have signed up for. From this, you can identify the accounts you no longer need so you can delete them.

  • Freeze your credit. T-Mobile says no financial information was stolen. Nevertheless, the data the company confirmed was stolen can be used for identity theft and opening new lines of credit. Freezing your credit makes it harder for criminals to exploit your identity for fraud.

  • Monitor your financial accounts. Often, bad actors will want to tap into leaked confidential data to execute financial fraud. Monitor not just your bank and credit card accounts but also payment services such as Venmo and PayPal.

  • Look out for phishing attacks. The data breach may have provided vast confidential information to cybercriminals but they may want to extract even more. The more information they have, the easier it is for them to recreate your identity. Phishing attacks are a popular tool for this. The attacks may come in multiple forms such as misleading emails, malicious links, fake offers and deceptive phone calls.

  • Keep your ear to the ground. The situation is still evolving as the investigation proceeds. It is possible new information could emerge in the coming days, weeks and months.

Recent Data Breaches at T-Mobile

T-Mobile is no stranger to data breaches. This is the sixth significant incident the wireless carrier has faced in the past six years.


October 2015

Cybercriminals made away with personally identifiable information belonging to approximately 15 million existing and potential T-Mobile customers in the US. The information included Social Security numbers, birth dates and home addresses. Hackers obtained the information from an Experian server.


August 2018

Cybercriminals accessed the personal details of two million customers. This included customer names, phone numbers, email addresses, account numbers and billing ZIP codes.


November 2019

Cybercriminals stole data belonging to some prepaid wireless accounts. The data breached included names, billing addresses, phone numbers and account numbers.


March 2020

Hackers gained access to some employees’ email accounts. The cybercriminals then used this to steal data on both employees and customers including names, addresses, account numbers, billing information, financial account information, Social Security numbers, government identification numbers and phone numbers.


January 2021

A breach exposed about 200,000 customer phone numbers, call-related information and the number of lines subscribed to the customer’s account.


Beware the Inure

With the growing number of major data breaches hitting global headlines every other week, you could grow numb to the risks. A lot of confidential data on tens of millions of Americans is already out there thanks to many past data breach incidents. Still, shrugging it off will not work. You should assume that each incident is a unique threat and must be tackled accordingly.

Tags :
Share This :

Leave a comment

Your email address will not be published. Required fields are marked *

Recent Posts

Categories

Have A Question?

Contact us for a Free Risk Assessment

  • +1 (202) 220-8845
  • info@ironrangecyber.com
Facebook-f Twitter Linkedin

1775 Eye Street NW, Suite 1150, Washington D.C. 20006, United States

Copyright © 2021. All rights reserved Iron Range Cyber

Privacy Policy

(202) 318-6114