T-Mobile breach exposes data for more than 40M people

T-Mobile said hackers stole the account details of more than 40 million people in a recent data breach.

The lifted data includes the first and last names of current, former and prospective customers, as well as other personally identifiable information (PII) such as dates of birth, Social Security information, and driver's license and ID numbers. The telecom giant confirmed on Tuesday reports from earlier this week that it had suffered a network breach and lost data on tens of millions of customers.

Motherboard first reported the T-Mobile breach earlier this week, with the company later confirming the reports. The hacker claimed to have data on 100 million customers, including physical addresses and IMEI numbers, though T-Mobile's statement doesn't mention either data type.

It is not yet clear if T-Mobile was aware of the incident before Motherboard inquired. The hack impacts not only current and former customers, but people who had applied for an account with the carrier and were subject to credit checks, meaning the company kept their personal information.

"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts' information appears to be contained in the stolen files," T-Mobile said, "as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile."

T-Mobile said the stolen data did not include phone numbers, account numbers, PINs, passwords or any financial information. The company is advising postpaid customers to change their PIN number as a precautionary measure. The carrier is also offering those who info was exposed two years of identity monitoring service.

In addition, T-Mobile said approximately 850,000 current T-Mobile prepaid customer names, phone numbers and account PINs were stolen. The company proactively reset all PINs on those accounts.

UPDATE 8/20: T-Mobile announced its ongoing breach investigation revealed more victims. According to an update, the company identified an additional 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and international mobile subscriber identity numbers (IMSIs) stolen. T-Mobile also determined the 7.8 million current T-Mobile postpaid customers it first identified also had their phone numbers, IMEIs and IMSIs compromised.

Additionally, T-Mobile said it found an additional 667,000 impacted accounts of former T-Mobile customers on top of the 40 million former and prospective customers that had their names, phone numbers, addresses and dates of birth compromised. The company said the attacker also obtained other files with phone, IMEI and IMSI numbers, though it did not contain any PII. T-Mobile did not specify how many affected accounts were in those files.

It's unclear when T-Mobile first learned of the breach. The Motherboard report, which cited the hacker who performed the attack, first gave word of the attack, though the hacker told Motherboard that their backdoor access to breached servers had been lost. While details of the timeline are still being worked out, what is clear is that the hacker was able to spend some time inside the company's network before being discovered.

"While we don't yet know the details of how exactly the T-Mobile data was breached, this is yet another reminder that taking proper precautions for data at rest and a sound security monitoring strategy is paramount," said Mark Orlando, CEO of infosec consultancy Bionic, in a statement to SearchSecurity.

While the hack is bad enough for individuals, experts tell SearchSecurity that the incident may also pose a threat to enterprises thanks to the close links so many workers have with their phones.

"With phone numbers, account PINs, and IMEI data exposed for many customers, this breach can be a potential starting point for vendor and supply chain phishing fraud," explained Brian Johnson, CSO at email security vendor Armorblox.

"Since phones are a preferred second method of authentication, cybercriminals can use this data to attempt MFA bypass and take over the target's email accounts."

Meanwhile, the hacker behind the attack is seeking a $280,000 payout on the dark web for the lifted data, according to Motherboard, and experts believe someone will be more than willing to meet that price.

"The reality is that the dark web is the third largest economy in the modern world, and with breaches of this scale often providing a six-figure payday, cybercriminals will continue to seize these opportunities," said Rick McElroy, principal security strategist with VMware.