T-Mobile confirmed that attackers had recently gained access to its servers and took various files containing the personal data of millions of customers.
On Monday, CIM reported that a forum user was claiming to be selling a portion of T-Mobile’s database containing the details of 30 million people.
According to new details, the breach affected around 7.8 million T-Mobile postpaid, 850,000 T-Mobile prepaid, and approximately 40 million former customers. In total, the attackers were able to steal data of 48.6 million records.
“Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers,” the US mobile carrier said.
“Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.”
However, the file stolen from T-Mobile did contain highly sensitive information like phone numbers and credentials for a portion of customers.
“At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed,” the carrier added. “We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files.”
T-Mobile has already reset the passwords for these accounts to prevent them from being compromised. They are also notifying all affected users.
The company is now taking the following steps to protect its customers:
- 2 years of free identity protection services with McAfee’s ID Theft Protection Service;
- advising its postpaid customers to change their PINs immediately;
- offering Account Takeover Protection service to secure mobile accounts against unauthorized access and fraud;
- on Wednesday, T-Mobile is expected to publish a unique web page with all information and solutions to help customers protect their accounts.
Data from mobile breaches like this one could be used by bad actors to carry out impersonation, social engineering, scam attacks, and more.
“This is ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable,” told Crane Hassold, director of threat intelligence at email security company Abnormal Security, to Wired.