Attackers Stole 8.6 Million Customers’ Details

T-Mobile USA has confirmed that its systems were breached and that investigators have found that details for 8.6 million customers were stolen, as were 40 million credit application records.

See Also: OnDemand | Beyond Credit Risk: Onboard Thin-File Customers with Confidence

“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” the company says. “Importantly, no phone numbers, account numbers, PINs, passwords or financial information were compromised in any of these files of customers or prospective customers.”

In addition, attackers also stole names, phone numbers and account PINs for 850,000 prepaid customers, it says.

The warning follows the Bellevue, Washington-based mobile communications subsidiary of Germany’s Deutsche Telekom on Monday confirming that it was investigating a breach of its systems but wasn’t yet able to confirm if customer data might have been stolen.

In a statement released late Tuesday, however, T-Mobile says: “While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.”

Thus far, T-Mobile says it has found no signs that financial information, including bank account or credit or debit card details, was exposed, but it says numerous personal details were exposed for postpaid customers, as well as names and PIN codes for prepaid customers.

Postpaid refers to a mobile phone subscription plan that charges an individual at the end of the month for what they have actually used. Prepaid subscribers pay a flat, monthly fee for service.

Stolen: 7.8 Million Postpaid Customers’ Details

For the 7.8 million postpaid customers’ whose details were exposed, as well as the 40 million records for individuals – both customers as well as prospects – who applied for credit with T-Mobile, the company says that “some of the data accessed did include customers’ first and last names, date of birth, Social Security number and driver’s license/ID information.”

Given the risk of account takeover, identity theft and fraud facing these individuals, T-Mobile says it will be immediately contacting all affected individuals and offering them a prepaid, two-year subscription to McAfee’s ID Theft Protection service.

T-Mobile recommends that postpaid customers “proactively change their PIN by going online into their T-Mobile account or calling our customer care team by dialing 611 on your phone.” It notes that at least so far, there are no signs that any attackers have attempted to use the stolen information to take over prepaid accounts.

T-Mobile says it will also be offering postpaid customers “account takeover protection capabilities” that add an extra step to change mobile account details, “which makes it harder for customer accounts to be fraudulently ported out and stolen.”

T-Mobile has promised to publish a dedicated web page on Wednesday detailing all of this information, including steps it recommends for customers to better protect themselves.

Stolen: 850,000 Prepaid Customers’ Details

For the 850,000 prepaid customers affected by the data breach, T-Mobile says records containing their names, phone numbers and account PINs were stolen. “We have already proactively reset all of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away,” it says.

Attackers also stole “some additional information from inactive prepaid accounts accessed through prepaid billing files,” it says. “No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file.”

T-Mobile says that no prepaid customers of Metro by T-Mobile, as well as former prepaid customers of Sprint or Boost, were affected by the breach.

Investigation Launched After Theft Report

T-Mobile says it began investigating the breach immediately after reports surfaced that its customer data had been stolen, bringing in third-party digital forensic investigators and alerting law enforcement authorities.

“Late last week, we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems,” it says. “We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers.”

Credit for the breach has been taken by a group of individuals that security analysts say appear to have been involved in the targeting of telecommunications firms – via SIM-swapping attacks and lookup services that match phone data with numbers – since at least 2018 (see: T-Mobile Probes Attack, Confirms Systems Were Breached).

One self-proclaimed participant in the endeavor uses the alias Anton Lyashevesky and is apparently also closely linked to the @und0xxed Twitter handle. He told Information Security Media Group that the stolen data was for sale for $286,000 and that “multiple” parties were interested.

Records of negotiations seen by ISMG, however, suggest that the data was being offered for sale for much less.

Lyashevesky told ISMG that the actual T-Mobile data theft was accomplished by the individual tied to the @Intelsecrets account.

Gene Yoo, CEO of security firm Resecurity, says @Intelsecrets also has been linked to another handle, @v0rtex, which three years ago sold a lookup service that matched IMSI numbers with phone numbers from multiple carriers.

In a Sunday tweet, @Intelsecrets claimed the breach included “names, addresses, SSNs, DoBs, card numbers, DL numbers, IMEI/IMSI, and more” for 36 million T-Mobile customers.

Attackers Claim ‘Insecure Backup Server’

In a Tuesday tweet, @und0xxed claimed that the customer data had been stolen by @Intelsecrets from “an insecure backup server” where it “was sitting in plaintext.”

As Vice has reported, and Lyashevesky has confirmed to ISMG, the attackers had attempted to shake down Mike Sievert, CEO of T-Mobile USA, by sending him – and T-Mobile’s cybersecurity head – an offer for the return of the stolen data in exchange for $2 million worth of bitcoin or monero cryptocurrency. The attackers say T-Mobile never responded.

Lyashevesky says the stolen information includes Social Security numbers for well-known individuals. “There’s an old entry for Trump, Biden’s dead son is in there, the director of the CIA is in there, James Clapper and James Brennan are in there, and a few others,” he said. He claims @IntelSecrets had access to the data for two or three weeks, until the access was shut off on Saturday.

Lyashevesky claims @IntelSecrets has since relocated from Turkey to Belarus.

Executive Editor Jeremy Kirk contributed to this report.