New T-Mobile Breach Affects 37 Million Accounts – Krebs on Security

T-Mobile today announced a data breach affecting tens of millions of customer accounts, the second major data breach in as many years. In a filing with federal regulators, T-Mobile said that an investigation determined that someone misused its systems to collect subscriber data related to approximately 37 million current customer accounts.


With an application today US Securities and Exchange Commission, T-Mobile said a “bad actor” abused its application programming interface (API) to collect information on approximately 37 million current postpaid and prepaid customer accounts. The information stolen included the customer’s name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information about the number of customer lines and plan features.

APIs are essentially instructions that allow applications to access data and interact with web databases. However, if not properly secured, these APIs can be used by malicious actors to collect data stored in those databases en masse. Mobile provider in October Optus has revealed that hackers abused a poorly secured API to steal the data of 10 million customers in Australia.

The company said it first learned about the incident on January 5, 2022, and an investigation determined that the bad actor began abusing the API starting on November 25, 2022.

T-Mobile says affected customers are being notified and no customer payment card information, passwords, Social Security numbers, driver’s licenses or other government identification numbers have been exposed.

In August 2021, T-Mobile admitted that hackers had compromised the names, dates of birth, Social Security numbers, and driver’s license/ID card information of more than 40 million current, former or potential customers who had applied for credit with the company. The breach came to light after a hacker started selling the logs on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class-action lawsuits stemming from the 2021 breach. The company has promised to spend $150 million of this money to strengthen its cyber security.

In its filing with the SEC, T-Mobile argued that protecting customer data remains a top priority, but suggested that it will take years to fully realize the benefits of improvements in cybersecurity.

“As we previously announced, in 2021 we began a significant multi-year investment working with leading foreign cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the document said. “We’ve made significant progress to date, and protecting our customers’ data remains a top priority.”

Although this is the second major breach of customer data in as many years, T-Mobile told the SEC that the company does not expect this latest breach to have a significant impact on its operations.

While that may seem like a bold thing to say in disclosing a data breach that affected a significant portion of your active customer base, consider that T-Mobile reports its earnings. nearly $20 billion in the third quarter of 2022 alone. In this context, it’s a drop in the bucket for lawyers to take a few hundred million dollars out of a class every two years.

The 2021 breach settlement said T-Mobile will provide $350 million to customers who file lawsuits. But here’s the catch: If you’ve been affected by the 2021 breach and haven’t yet filed a lawsuit, please know that you have three more days to do so.

If you were a T-Mobile customer affected by the incident in 2021, it’s likely that T-Mobile has already made several attempts to inform you of your right to file a claim, which includes a payment of at least $25. more so for those who can document the direct costs associated with the breach. says the deadline to apply is January 23, 2023.

“If you a cash payment you will receive approximately $25.00,” the site explains. “If you live in California, you will receive approximately $100.00. Out-of-pocket losses are covered up to $25,000.00. The amount you claim from T-Mobile will be determined by the class action administrator based on how many people file a valid and timely claim form.”

There’s currently no indication that hackers have sold this latest data carrier from T-Mobile, but if the past is any teacher, more of it will soon be posted online. It’s a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers, and harassment.

T-Mobile customers should fully expect to see phishers using public concern over the breach to impersonate the company — and may even send messages containing the recipient’s stolen account information to make the communication appear more legitimate.

Stolen and compromised data can also be used for identity theft. Credit monitoring and ID theft protection services can help protect you from identity theft, but most won’t do anything to prevent ID theft. If you want maximum control over who can look at your credit or issue new lines of credit in your name, a security freeze is your best option.

Regardless of which mobile provider you patronize, please consider removing your phone number from as many online accounts as possible. Many online services require you to provide a phone number when registering an account, but in many cases this number can be removed from your profile later.

Why do I suggest this? Many online services allow users to reset their passwords by simply clicking on a link sent via SMS, and unfortunately, this widespread practice has turned mobile phone numbers into de facto ID documents. This means that losing control of your phone number through an unauthorized SIM swap or mobile number removal, divorce, layoff or financial crisis can be devastating.

Source link