Hackers who breached T-Mobile stole personal data for ~49 million accounts

Getty Images

T-Mobile on Wednesday said criminals obtained the personal information of almost 49 million current, former, or prospective customers in the latest mega-hack of its servers.

The haul includes customers’ first and last names, date of birth, SSN, and driver’s license/ID information for 7.8 million current post-paid accounts, meaning accounts that are billed at the end of each billing cycle. The unknown hackers obtained the same data from more than 40 million records belonging to former or prospective customers who had previously applied for credit with T-Mobile.

Names, phone numbers, and account PINs for about 850,000 active T-Mobile prepaid customers were also stolen. T-Mobile said that “additional information” from an unspecified number of inactive prepaid accounts was also affected.

The cellular carrier said none of the hacked data included customer financial information, credit or debit card information, or other payment information. Except for data in the 850,000 prepaid accounts, none of the affected data included phone numbers or account PINs.

T-Mobile, which is no stranger to data breaches involving millions of customers, said it has retained cybersecurity experts to assist in an investigation of this latest hack. The company said it has located and closed the access point the hackers used to breach the servers. The carrier has also coordinated with law enforcement.

In response, T-Mobile said it is:

  • Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.
  • Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling our Customer Care team by dialing 611 on your phone. This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised.
  • Offering an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.
  • Publishing a unique webpage later on Wednesday for one-stop information and solutions to help customers take steps to further protect themselves.

Word of the breach first surfaced over the weekend when someone using the Twitter account @und0xxed and someone on a cybercrime forum advertised the availability of millions of what they claimed were never-before-published records. A report from Motherboard confirmed that the data matched T-Mobile customers. Motherboard said the person selling the data claimed there were 100 million records available.

It’s not known if anyone has purchased the data or if the data is being used to engage in identity theft or other crimes. It’s not unusual for data stolen in breaches to eventually be published online so it’s available to anyone who takes the time to find it.

The availability of free credit monitoring is better than nothing, but the more meaningful steps affected people can take are to change PINs and account passwords and implement the above-mentioned option of setting up a passcode to restrict the porting of phone numbers to a new account, a crime typically known as SIM swapping. Even with such protections, SIM swapping remains a big enough risk that people should not link important accounts to their phone numbers whenever possible.