Breach Notification , Cybercrime , Cybercrime as-a-service

T-Mobile: Attackers Stole 8.6 Million Customers' Details

40 Million Credit Applications Also Stolen; Social Security Numbers Exposed
T-Mobile: Attackers Stole 8.6 Million Customers' Details
T-Mobile's store in Times Square, New York (Photo: T-Mobile)

T-Mobile USA has confirmed that its systems were breached and that investigators have found that details for 8.6 million customers were stolen, as were 40 million credit application records.

See Also: Gartner Guide for Digital Forensics and Incident Response

"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts' information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile," the company says. "Importantly, no phone numbers, account numbers, PINs, passwords or financial information were compromised in any of these files of customers or prospective customers."

In addition, attackers also stole names, phone numbers and account PINs for 850,000 prepaid customers, it says.

The warning follows the Bellevue, Washington-based mobile communications subsidiary of Germany's Deutsche Telekom on Monday confirming that it was investigating a breach of its systems but wasn't yet able to confirm if customer data might have been stolen.

In a statement released late Tuesday, however, T-Mobile says: "While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information."

Thus far, T-Mobile says it has found no signs that financial information, including bank account or credit or debit card details, was exposed, but it says numerous personal details were exposed for postpaid customers, as well as names and PIN codes for prepaid customers.

Postpaid refers to a mobile phone subscription plan that charges an individual at the end of the month for what they have actually used. Prepaid subscribers pay a flat, monthly fee for service.

Stolen: 7.8 Million Postpaid Customers' Details

For the 7.8 million postpaid customers' whose details were exposed, as well as the 40 million records for individuals - both customers as well as prospects - who applied for credit with T-Mobile, the company says that "some of the data accessed did include customers' first and last names, date of birth, Social Security number and driver's license/ID information."

Given the risk of account takeover, identity theft and fraud facing these individuals, T-Mobile says it will be immediately contacting all affected individuals and offering them a prepaid, two-year subscription to McAfee's ID Theft Protection service.

T-Mobile recommends that postpaid customers "proactively change their PIN by going online into their T-Mobile account or calling our customer care team by dialing 611 on your phone." It notes that at least so far, there are no signs that any attackers have attempted to use the stolen information to take over prepaid accounts.

T-Mobile says it will also be offering postpaid customers "account takeover protection capabilities" that add an extra step to change mobile account details, "which makes it harder for customer accounts to be fraudulently ported out and stolen."

T-Mobile has promised to publish a dedicated web page on Wednesday detailing all of this information, including steps it recommends for customers to better protect themselves.

Stolen: 850,000 Prepaid Customers' Details

For the 850,000 prepaid customers affected by the data breach, T-Mobile says records containing their names, phone numbers and account PINs were stolen. "We have already proactively reset all of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away," it says.

Attackers also stole "some additional information from inactive prepaid accounts accessed through prepaid billing files," it says. "No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file."

T-Mobile says that no prepaid customers of Metro by T-Mobile, as well as former prepaid customers of Sprint or Boost, were affected by the breach.

Investigation Launched After Theft Report

T-Mobile says it began investigating the breach immediately after reports surfaced that its customer data had been stolen, bringing in third-party digital forensic investigators and alerting law enforcement authorities.

"Late last week, we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems," it says. "We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers."

Late Wednesday, the U.S. Federal Communications Commission, which regulates the telecommunications industry, announced that it would be probing the breach, as Reuters first reported. "Telecommunications companies have a duty to protect their customers’ information. The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating," a spokeswoman tells Information Security Media Group.

Credit for the breach has been taken by a group of individuals that security analysts say appear to have been involved in the targeting of telecommunications firms - via SIM-swapping attacks and lookup services that match phone data with numbers - since at least 2018 (see: T-Mobile Probes Attack, Confirms Systems Were Breached).

One self-proclaimed participant in the endeavor uses the Telegram alias Anton Lyashevesky and the Twitter handle @Intelsecrets. This individual also goes by the name John Erin Binns and has been known by other handles in the past, including "Irdev." Gene Yoo, CEO of security firm Resecurity, says @Intelsecrets also has been linked to another handle, @v0rtex, which three years ago sold a lookup service that matched IMSI numbers with phone numbers from multiple carriers.

Also involved is someone who goes by the Twitter handle @und0xxed. He has told ISMG that @intelsecrets is the person who actually breached T-Mobile, which @intelsecrets has confirmed.

Attackers Claim 'Insecure Backup Server'

In a Tuesday tweet, @und0xxed claimed that the customer data had been stolen by @Intelsecrets from "an insecure backup server" where it "was sitting in plaintext."

A tweet from @und0xxed claims the data was stolen from a backup server. (Source: Twitter)

As Vice has reported, and @und0xxed has confirmed to ISMG, the attackers had attempted to shake down Mike Sievert, CEO of T-Mobile USA, by sending him - and T-Mobile's cybersecurity head - an offer for the return of the stolen data in exchange for $2 million worth of bitcoin or monero cryptocurrency. The attackers say T-Mobile never responded.

The stolen information, @und0xxed says, includes Social Security numbers for well-known individuals. "There's an old entry for Trump, Biden's dead son is in there, the director of the CIA is in there, James Clapper and James Brennan are in there, and a few others," he said.

Executive Editor Jeremy Kirk contributed to this report.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.