Reports of massive data breach at T-Mobile (100 Million users)

[Techie_Freak 99]

Summary

Reports of a massive data breach at T-Mobile. Post on an underground forum, as reported by Vice, claims that they have customer info (ssn, imei numbers, physical address etc) for 100 Million users.

They are selling some info for Bitcoin equivalent of $270,000. T-Mobile has not confirmed it as they are investigating the reports as of the time of posting. 

 

Keep in mind, this is an unconfirmed and developing story. I will try to update when more info is released!

 

Quotes

Quote

Quote 1: "T-Mobile USA. Full customer info," the seller told Motherboard in an online chat. The seller said they compromised multiple servers related to T-Mobile.

Quote 2: The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. They said that although it appears T-Mobile has since kicked them out of the hacked servers, the seller had already downloaded the data locally.

 

My thoughts

Another situation like Experian, a few years ago?

 

Sources

https://www.vice.com/en/article/akg8wg/tmobile-investigating-customer-data-breach-100-million

https://www.reuters.com/business/media-telecom/t-mobile-investigating-claims-customer-data-breach-vice-2021-08-15/

[Lurick]

That's a major yikes if this turns out to all be true. I really hope it doesn't turn into another Experian again but it probably will all things considered and I'm sure it will be blamed on some single employee or someone who forgot to do something or it will turn out they didn't invest it well rounded security practices and whatnot.

[Skiiwee29]

Big yikes if true, but seems very very low cost for the data, 270k? With that kind of information and data I would expect to see at least a 7 or 8 figured number. 

[The_russian]

3 minutes ago, Skiiwee29 said:

Big yikes if true, but seems very very low cost for the data, 270k? With that kind of information and data I would expect to see at least a 7 or 8 figured number. 

From the Vice article:

Quote

On the underground forum the seller is asking for 6 bitcoin, around $270,000, for a subset of the data containing 30 million social security numbers and driver licenses. The seller said they are privately selling the rest of the data at the moment.

So it’s 270k for 30 million SSNs and driver licenses and the rest is being sold privately. I was thinking the same thing though, that seems like a low number for that amount of data.

[StDragon]

1 minute ago, The_russian said:

From the Vice article:

So it’s 270k for 30 million SSNs and driver licenses and the rest is being sold privately. I was thinking the same thing though, that seems like a low number for that amount of data.

This is probably a "taste". Next offer would probably substantially more expensive!!!

[The_russian]

1 minute ago, StDragon said:

This is probably a "taste". Next offer would probably substantially more expensive!!!

That and also probably to verify the data is actually legitimate and not just some auto-generated numbers.

[SansVarnic]

1 hour ago, Techie_Freak 99 said:

data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said.

Who the hell gave them their SSN and Drivers License numbers.

I use T-Mobile and they never asked me that info, had they did, I would not have given it. If people really did, foolish move.

[BondiBlue]

Man, I'll be interested to see where this goes. That's a lot of info. 

[Taf the Ghost]

T-Mobile got most of their customer DB hacked a couple of years ago. So, it isn't even the first time. But it's the first time after the merger? (Not sure if the systems are all integrated yet.)

[Taf the Ghost]

1 hour ago, SansVarnic said:

Who the hell gave them their SSN and Drivers License numbers.

I use T-Mobile and they never asked me that info, had they did, I would not have given it. If people really did, foolish move.

I imagine there is a DB out there with SSNs + Names that could be easily merged with hard name + address data.

[SansVarnic]

18 minutes ago, Taf the Ghost said:

I imagine there is a DB out there with SSNs + Names that could be easily merged with hard name + address data.

Possible, at least I can rest assured mine won't be one of those. I dont give out my ssn to anyone for any reason.

[Arika]

i'm so glad Australia doesn't have an equivalent of an SSN, too much power is given to a single number and is always the target in attacks like this.

[Pickles von Brine]

Well fuck me. I am a t-mobile customer...

This looks really bad and can allow someone to do some nasty shit.

[flibberdipper]

mmmmmmmmmmmmmm don't like this one bit

[DrMacintosh]

I never gave T-Mobile my SSN. Don't think Sprint has it either...

[Lurick]

14 hours ago, SansVarnic said:

Who the hell gave them their SSN and Drivers License numbers.

I use T-Mobile and they never asked me that info, had they did, I would not have given it. If people really did, foolish move.

Credit checks is the only thing I can think of for some customers or plans?

[Lurick]

I'd hazard a guess that T-Mobile just doesn't care, I'd almost forgotten their track record

 

In 2017

and in 2018

can't forget 2019

what about 2020

I wonder what will leak next year!

[Guest willies leg]

Meh, really doesn't matter, all our data everywhere is hacked.

[wanderingfool2]

16 hours ago, SansVarnic said:

Possible, at least I can rest assured mine won't be one of those. I dont give out my ssn to anyone for any reason.

I was thinking the exact same thing.  At least here, there isn't any reason to give out your SSN unless if it's for literally a job.

 

2 hours ago, Lurick said:

Credit checks is the only thing I can think of for some customers or plans?

hmm maybe...but do the phone carriers in the US do that?  Even on my plan, where I got a credit card...it was only putting in my SIN with the associated bank (and my carrier didn't get my SIN number)

[StDragon]

19 hours ago, SansVarnic said:

Who the hell gave them their SSN and Drivers License numbers.

I use T-Mobile and they never asked me that info, had they did, I would not have given it. If people really did, foolish move.

You would be surprised how many people with poor credit sign up for accounts. These providers are demanding information up-front so they can later go after them for collections if they default on their account.

[Clarkius]

20 hours ago, Skiiwee29 said:

Big yikes if true, but seems very very low cost for the data, 270k? With that kind of information and data I would expect to see at least a 7 or 8 figured number. 

I thought it was rather low as well, considering the potential value of the alleged data contained. 

[lostcattears]

Thank god I never used T-mobile 

[SansVarnic]

39 minutes ago, lostcattears said:

Thank god I never used T-mobile 

Thank god I didnt use <insert latest company data breach> ...

Ok.

[The_russian]

For anyone keeping an eye on this, T-Mobile confirmed in a blog post that customer data was accessed/stolen. 

 

Quote

• Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems. We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment.
• We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers.
• Yesterday, we were able to verify that a subset of T-Mobile data had been accessed by unauthorized individuals. We also began coordination with law enforcement as our forensic investigation continued.
• While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.
• We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information.
• Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers. 
• Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.
• As a result of this finding, we are taking immediate steps to help protect all of the individuals who may be at risk from this cyberattack. Communications will be issued shortly to customers outlining that T-Mobile is:
  • Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.
  • Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling our Customer Care team by dialing 611 on your phone. This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised.
  • Offering an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.
  • Publishing a unique web page later on Wednesday for one stop information and solutions to help customers take steps to further protect themselves. 
• At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed. We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.
• We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file.

 

Source: 

https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation

[Kid.Lazer]

On 8/15/2021 at 7:54 PM, SansVarnic said:

Possible, at least I can rest assured mine won't be one of those. I dont give out my ssn to anyone for any reason.

Have you never financed anything? All credit inquires will require your ssn.