Not all data breaches are created equal. None of them are good, but they do come in varying degrees of bad. And given how regularly they happen, it’s understandable that you may have become inured to the news. Still, a T-Mobile breach that hackers claim involved the data of 100 million people deserves your attention, especially if you’re a customer of the “un-carrier.”
As first reported by Motherboard on Sunday, someone on the dark web claims to have obtained the data of 100 million from T-Mobile’s servers and is selling a portion of it on an underground forum for 6 bitcoin, about $280,000. The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver's license information, and IMEI numbers, unique identifiers tied to each mobile device. Motherboard confirmed that samples of the data “contained accurate information on T-Mobile customers.”
A lot of that information is already widely available, even the social security numbers, which can be found on any number of public records sites. There’s also the reality that most people’s data has been leaked at some point or another. But the apparent T-Mobile breach offers potential buyers a blend of data that could be used to great effect, and not in ways you might automatically assume.
“This is ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable,” says Crane Hassold, director of threat intelligence at email security company Abnormal Security. “That’s the first thing that I thought of, looking at this.”
Yes, names and phone numbers are relatively easy to find. But a database that ties those two together, along with identifying someone’s carrier and fixed address, makes it much easier to convince someone to click on a link that advertises, say, a special offer or upgrade for T-Mobile customers. And to do so en masse.
The same is true for identity theft. Again, a lot of the T-Mobile data is out there already in various forms across various breaches. But having it centralized streamlines the process for criminals—or for someone with a grudge, or a specific high-value victim in mind, says Abigail Showman, team lead at risk intelligence firm Flashpoint.
And while names and addresses may be fairly common grist at this point, International Mobile Equipment Identity numbers are not. Because each IMEI number is tied to a specific customer’s phone, knowing it could help in a so-called SIM-swap attack. “This could lead to account takeover concerns,” Showman says, “since threat actors could gain access to two-factor authentication or one-time passwords tied to other accounts—such as email, banking, or any other account employing advanced authentication security feature—using a victim’s phone number.”
That’s not a hypothetical concern; SIM-swap attacks have run rampant over the past several years, and a previous breach, which T-Mobile disclosed in February, was used specifically to execute them.
T-Mobile confirmed on Monday that a breach had occurred but not whether customer data had been compromised. “We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed,” the company said in an emailed statement. “We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.”
In the meantime, you have a few admittedly limited steps you can take to protect yourself, or at least limit the potential fallout if all that data did get stolen. Change your T-Mobile password and security PIN. Companies that have leaked social security numbers and other especially sensitive information have in the past offered free credit monitoring to victims, so keep an eye on communications from T-Mobile to see if it offers the same. As for stopping SIM-swap attacks, there’s not much you can do against a determined attacker, but a good first step is to start using app-based authentication instead of having codes sent to you by text message.
After so many data breaches in recent years, it’s easy to let them drift by without paying much mind. And it’s true, to a certain extent, that most of the data you care about is available to hackers. “If I’m going to be doing some identity theft, most of the information is already out there in one of the dozens of other data breaches that have happened previously,” Hassold says.
But it’s still important to focus on the big ones, both to know your specific risks and to hold companies accountable for their lapses. So far, shrugging it off hasn’t worked; if the data’s legitimate, this would be T-Mobile’s sixth known breach in four years.