T-Mobile: Attackers Stole 8.6 Million Customers' Details40 Million Credit Applications Also Stolen; Social Security Numbers Exposed
T-Mobile USA has confirmed that its systems were breached and that investigators have found that details for 8.6 million customers were stolen, as were 40 million credit application records.
"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts' information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile," the company says. "Importantly, no phone numbers, account numbers, PINs, passwords or financial information were compromised in any of these files of customers or prospective customers."
In addition, attackers also stole names, phone numbers and account PINs for 850,000 prepaid customers, it says.
The warning follows the Bellevue, Washington-based mobile communications subsidiary of Germany's Deutsche Telekom on Monday confirming that it was investigating a breach of its systems but wasn't yet able to confirm if customer data might have been stolen.
In a statement released late Tuesday, however, T-Mobile says: "While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information."
Thus far, T-Mobile says it has found no signs that financial information, including bank account or credit or debit card details, was exposed, but it says numerous personal details were exposed for postpaid customers, as well as names and PIN codes for prepaid customers.
Postpaid refers to a mobile phone subscription plan that charges an individual at the end of the month for what they have actually used. Prepaid subscribers pay a flat, monthly fee for service.
Stolen: 7.8 Million Postpaid Customers' Details
For the 7.8 million postpaid customers' whose details were exposed, as well as the 40 million records for individuals - both customers as well as prospects - who applied for credit with T-Mobile, the company says that "some of the data accessed did include customers' first and last names, date of birth, Social Security number and driver's license/ID information."
Given the risk of account takeover, identity theft and fraud facing these individuals, T-Mobile says it will be immediately contacting all affected individuals and offering them a prepaid, two-year subscription to McAfee's ID Theft Protection service.
T-Mobile recommends that postpaid customers "proactively change their PIN by going online into their T-Mobile account or calling our customer care team by dialing 611 on your phone." It notes that at least so far, there are no signs that any attackers have attempted to use the stolen information to take over prepaid accounts.
T-Mobile says it will also be offering postpaid customers "account takeover protection capabilities" that add an extra step to change mobile account details, "which makes it harder for customer accounts to be fraudulently ported out and stolen."
T-Mobile has promised to publish a dedicated web page on Wednesday detailing all of this information, including steps it recommends for customers to better protect themselves.
Stolen: 850,000 Prepaid Customers' Details
For the 850,000 prepaid customers affected by the data breach, T-Mobile says records containing their names, phone numbers and account PINs were stolen. "We have already proactively reset all of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away," it says.
Attackers also stole "some additional information from inactive prepaid accounts accessed through prepaid billing files," it says. "No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file."
T-Mobile says that no prepaid customers of Metro by T-Mobile, as well as former prepaid customers of Sprint or Boost, were affected by the breach.
Investigation Launched After Theft Report
T-Mobile says it began investigating the breach immediately after reports surfaced that its customer data had been stolen, bringing in third-party digital forensic investigators and alerting law enforcement authorities.
"Late last week, we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems," it says. "We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers."
Late Wednesday, the U.S. Federal Communications Commission, which regulates the telecommunications industry, announced that it would be probing the breach, as Reuters first reported. "Telecommunications companies have a duty to protect their customers’ information. The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating," a spokeswoman tells Information Security Media Group.
Credit for the breach has been taken by a group of individuals that security analysts say appear to have been involved in the targeting of telecommunications firms - via SIM-swapping attacks and lookup services that match phone data with numbers - since at least 2018 (see: T-Mobile Probes Attack, Confirms Systems Were Breached).
One self-proclaimed participant in the endeavor uses the Telegram alias Anton Lyashevesky and the Twitter handle @Intelsecrets. This individual also goes by the name John Erin Binns and has been known by other handles in the past, including "Irdev." Gene Yoo, CEO of security firm Resecurity, says @Intelsecrets also has been linked to another handle, @v0rtex, which three years ago sold a lookup service that matched IMSI numbers with phone numbers from multiple carriers.
Also involved is someone who goes by the Twitter handle @und0xxed. He has told ISMG that @intelsecrets is the person who actually breached T-Mobile, which @intelsecrets has confirmed.
Attackers Claim 'Insecure Backup Server'
In a Tuesday tweet, @und0xxed claimed that the customer data had been stolen by @Intelsecrets from "an insecure backup server" where it "was sitting in plaintext."
As Vice has reported, and @und0xxed has confirmed to ISMG, the attackers had attempted to shake down Mike Sievert, CEO of T-Mobile USA, by sending him - and T-Mobile's cybersecurity head - an offer for the return of the stolen data in exchange for $2 million worth of bitcoin or monero cryptocurrency. The attackers say T-Mobile never responded.
The stolen information, @und0xxed says, includes Social Security numbers for well-known individuals. "There's an old entry for Trump, Biden's dead son is in there, the director of the CIA is in there, James Clapper and James Brennan are in there, and a few others," he said.
Executive Editor Jeremy Kirk contributed to this report.