Tens of millions of current, former, or prospective T-Mobile customers’ personal information has been leaked to hackers, the wireless carrier stated Tuesday, August 17. In a post on its website, T-Mobile discloses the breach affects as many as 7.8 million postpaid subscribers, 850,000 prepaid customers, and just over 40 million past or prospective customers who have applied for credit with the company.
While no customer financial information appears to have been exposed, the stolen personal information includes names, dates of birth, Social Security numbers, and driver’s license numbers for “a subset of current and former post-pay customers and prospective T-Mobile customers.” Importantly, “no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.”
Nevertheless, T-Mobile is recommending that all T-Mobile postpaid customers preemptively change the PINs protecting their accounts, by going online into their T-Mobile account or calling customer care at 611. “This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised,” the advisory reads. Account PINs belonging to the 850,000 prepaid customers were compromised, however, and T-Mobile said it has reset those PINs as a security precaution.
It is not clear how many people in total may be impacted by this breach, as T-Mobile has not yet responded to requests regarding how many of the 7.8 million current customers may also have been affected by the credit application breach. T-Mobile has confirmed that customers of other prepaid brands including Metro, Boost, and former Sprint prepaid customers have not had their PINs or names exposed. Furthermore, T-Mobile said it will offer two years of free credit monitoring to affected customers.
The intrusion first became known on Twitter when the account @und0xxed started tweeting the details, and someone on a cybercrime forum began selling what they claimed were more than 100 million freshly hacked records from T-Mobile. The hackers claimed one of those databases held the name, date of birth, SSN, driver’s license information, plaintext security PIN, address, and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.
The investigation into the breach began after Vice reported on Sunday that hackers were offering T-Mobile customer data for sale on the dark web. On Monday, T-Mobile confirmed a cybersecurity incident but offered no further details at the time. In a statement Tuesday evening, T-Mobile said a “highly sophisticated” attack against its network led to the breach of data on millions of customers. The acknowledgment came less than 48 hours after millions of the stolen T-Mobile customer records went up for sale in the cybercrime underground.
In addition to the two years of identity theft protection services that T-Mobile offers for any affected customers, it is also offering “an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.” Why the company would not make that extra protection standard for all accounts, considering this massive breach, is not entirely clear.
If you are a current T-Mobile customer, change your account PIN as instructed. Even if you are not a T-Mobile customer, consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases, that number can be removed from your profile afterward.
This stolen data is being actively sold, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers, and harassment.
Phishers will most likely take advantage of public concern over the breach by imitating T-Mobile — beware of messages that include the recipient’s compromised account information and other convincing details that try to make the communications look more legitimate.
If there is anything to take away from this breach, besides the fact that organizations need to be held to a greater standard of security, it is that despite their lacking, you should take matters into your own hands to be as safe as possible.
No one can guarantee that a breach will never happen again or that your information will be 100 percent safe, but they can work with you to prepare for and mitigate the outcome. That is why Agency ensures that you will never face cyber security risks alone again as their cybersecurity professionals work with you through every step of the process.