Contact, Account Data for More Than 1 Million Customers Leaked
T-Mobile says it suffered a breach of prepaid accounts as a result of unauthorized access to its systems.
“Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account,” the company says in a statement. “We promptly reported this to authorities.”
The exposed data includes names, billing addresses, phone numbers, account numbers, rate plans and other details, such as if a person subscribed to international calling, T-Mobile says.
A T-Mobile spokesperson tells Information Security Media Group the breach affected “less than 1.5 percent of T-Mobile’s total customers.” According to an announcement of T-Mobile’s third quarter financial results, the company had 84.2 million customers, which means the breach may have affected more than 1 million accounts.
“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” the company says. “We truly regret that this incident occurred and apologize for any inconvenience this has caused you.”
T-Mobile: Reset Your PIN
T-Mobile is notifying victims by SMS. It’s recommending that victims change the PIN associated with their account, although it did not specifically say PINs were breached.
Although it’s not required, T-Mobile enables customers to set up a six to 15-digit numerical PIN. If a PIN is set up, customer service representatives will ask for it before making account changes.
T-Mobile is likely recommending a PIN change because the information could conceivably be helpful if an attacker is trying to steal a phone number, a scheme sometimes referred to as SIM hijacking or unauthorized number porting.
“T-Mobile, like any other corporation, is unfortunately not immune to this type of criminal attack. Because of that, we are always working to improve security so we can stay ahead of malicious activity and protect our customers.”
SIM hijacking has become increasingly prevalent as cybercriminals seek to route around two-factor authentication for online accounts. Although SMS has been regarded as an insecure channel to receive two-factor authentication codes, most service providers still offer it.
Hijacking someone’s phone number offers a way to receive the code. Phone number ports can often be initiated online with only basic information about a victim. It’s also possible to impersonate victims on the phone with the same information, tricking customer service into issuing a new SIM or transferring the number.
Risk: SIM Hijacking
Unauthorized number ports have been at the root of several high-profile thefts of cryptocurrency from online exchanges.
Cryptocurrency investor Michael Terpin filed a lawsuit against AT&T in August 2018, alleging the company failed to stop two attacks where his phone number was taken over (see: AT&T Sued Over $24 Million Cryptocurrency SIM Hijack Attacks).
Terpin alleges he lost $24 million in various kinds of cryptocurrency and is seeking an additional $200 million in punitive damages. His lawsuit alleges AT&T employees of being complicit in such schemes. In July, a federal judge rejected a motion by AT&T to dismiss the case, according to a news release.
In another case, federal prosecutors have also alleged collaboration between telecommunications company employees and cybercriminals. Three former employees of Verizon and AT&T were part of a group of nine charged for alleged involvement in cryptocurrency thefts (see: Alleged SIM Swappers Charged Over Cryptocurrency Thefts).
The type of information leaked in T-Mobile’s incident would be of use for phone porting schemes, although accounts that have a PIN would be better protected.
Despite the incident, T-Mobile maintains that it has “a number of safeguards in place to protect your personal information from unauthorized access, use, or disclosure. T-Mobile, like any other corporation, is unfortunately not immune to this type of criminal attack. Because of that, we are always working to improve security so we can stay ahead of malicious activity and protect our customers.”
In August 2018, T-Mobile disclosed a breach of a database that exposed personal information for 2.3 million customers. The data included encrypted passwords, customers’ names, ZIP codes, phone numbers, email addresses, account numbers and whether the accounts are prepaid or postpaid (see: T-Mobile Database Breach Exposes 2 Million Customers’ Data).