Over the weekend in mid-August, a supposed hacker bragged in online forums about having successfully carried out a data breach involving 10’s of millions of current, prospective, and previous T-Mobile customers. The hack involved 106GB of data, including T-Mobile’s Oracle customer relationship management (CRM) database.
T-Mobile acknowledged the attack on 16 August and released further details in a statement on 17 August. T-Mobile further informed the public that the leak involved 7.8 million postpaid subscribers, 850,000 prepaid customers and “just over” 40 million past or prospective customers who’ve applied for credit with T-Mobile.
Test the real-world effectiveness of your security controls while achieving compliance and protecting your brand. Cyberwarfare expert, NATO offensive Top Security Clearance and ex-NSA are main members of our core team. Our ethical hackers will find weaknesses in your infrastructure, exploit them, and report their findings.
After initial investigations, it was reported that no phone numbers, account numbers, PINs, passwords, or financial information were among the compromised information. Initially, this puts T-Mobile’s account at odds with that of the attacker who claims that phone numbers, account numbers, security PINs, and passwords were indeed among the stolen data.
However, it has now come to light that phone numbers, IMEI and IMSI information, as well as the associated customer names, addresses, date of births, phone numbers, and IMEIs and IMSIs of a further 5.3 million current postpaid customer accounts.
Another 667,000 accounts of former T- Mobile customers were also accessed along with customer names, phone numbers, addresses, and dates of birth. To top it off, 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were exposed. In response, T-Mobile had reset the PINs on all of the affected accounts.
However, T-Mobile is still holding out that no SSNs, driver’s license/ID information, or financial information, credit card information, debit, or other payment information was compromised.
T-Mobile also claims that it immediately identified and sealed off the access points used by the attacker after becoming aware of the incident.
According to the threat actor themselves, infiltrating T-Mobile’s servers was shockingly easy. If they are to be believed, a configuration error on an access point left it wide open for anyone who knows where to look.
The T-Mobile leak is supposedly part of a larger attack on US infrastructure, purportedly involving as many as 100 million accounts contained in various stolen databases. According to the attacker(s), this latest data theft spree is in retaliation for the detention and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019.
Binns, a US citizen residing in Turkey, has subsequently filed a lawsuit against the FBI, CIA, and DoJ for his alleged detention and torture as well as to release information pertaining to this investigation under the Freedom of Information Act.
The actor is publicly offering roughly 30 million records at 1 cent per record, or roughly 6 bitcoin (~$270,000) for the entire set. The rest of the supposedly 100+ million records are being sold off privately.
Considering the relative ease with which the latest heist was pulled off, this has raised concerns about how seriously T-Mobile takes data security. The US’ third-largest carrier has fallen victim to a number of data breaches over the last few years.