[BreachExchange] T-Mobile says hackers stole records belonging to 48.6 million individuals

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Wed Aug 18 11:06:57 EDT 2021 

https://www.bleepingcomputer.com/news/security/t-mobile-says-hackers-stole-records-belonging-to-486-million-individuals/

T-Mobile has confirmed that attackers who recently breached its servers
stole files containing the personal information of tens of millions of
individuals.

The massive breach impacts roughly 7.8 million T-Mobile postpaid customers,
850,000 T-Mobile prepaid users, and approximately 40 million former or
prospective ones.

Adding it all up, the attackers stole records belonging to 48.6 million
individuals, including current, former, or prospective T-Mobile customers.

"Importantly, no phone numbers, account numbers, PINs, passwords, or
financial information were compromised in any of these files of customers
or prospective customers," T-Mobile said.

"Some of the data accessed did include customers’ first and last names,
date of birth, SSN, and driver’s license/ID information for a subset of
current and former postpay customers and prospective T-Mobile customers."

Luckily, according to the US mobile carrier, the file stolen during the
incident did not contain phone numbers, account numbers, PINs, passwords,
or financial information belonging to current or prospective T-Mobile
customers.

Account PINs reset for 850K prepaid customers

"At this time, we have also been able to confirm approximately 850,000
active T-Mobile prepaid customer names, phone numbers and account PINs were
also exposed," the carrier added.

"We have also confirmed that there was some additional information from
inactive prepaid accounts accessed through prepaid billing files."

T-Mobile has already reset all the PINs for these accounts to protect them
from takeover attempts and is in the process of notifying all impacted
users.

The company is now taking steps to protect customers potentially at risk
following this massive breach by:

   - Immediately offering 2 years of free identity protection services with
   McAfee’s ID Theft Protection Service.
   - Recommending all T-Mobile postpaid customers proactively change their
   PIN by going online into their T-Mobile account or calling our Customer
   Care team by dialing 611 on your phone. This precaution is despite the fact
   that we have no knowledge that any postpaid account PINs were compromised.
   - Offering an extra step to protect your mobile account with our Account
   Takeover Protection capabilities for postpaid customers, which makes it
   harder for customer accounts to be fraudulently ported out and stolen.
   - Publishing a unique web page later on Wednesday for one stop
   information and solutions to help customers take steps to further protect
   themselves.

Sixth data breach in less than four years

T-Mobile partially confirmed the claims of a threat actor who was selling a
database allegedly containing the data for approximately 100 million
T-Mobile customers, stolen in a massive server breach.

Attackers can use customer information stolen in this attack for SIM
swapping attacks, allowing them to take over other online accounts
belonging to the victims.

All T-Mobile customers should now be on the lookout for any suspicious
emails or text messages pretending to be from T-Mobile.

If you receive one, do not click any embedded links as attackers could use
them to harvest credentials.

This is the sixth major data breach suffered by T-Mobile during the last
four years:

   - In 2018, info belonging to millions of T-Mobile customers was accessed
   by hackers.
   - In 2019, T-Mobile exposed prepaid customers' data.
   - In March 2020, hackers gained access to T-Mobile employees' email
   accounts.
   - In December 2020, hackers accessed exposed customer proprietary
   network information (phone numbers, call records).
   - In February 2021, threat actors targeted up to 400 customers in SIM
   swap attacks after gaining access to an internal T-Mobile application.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210818/fcbbdd22/attachment.html>

More information about the BreachExchange mailing list