T-Mobile is warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. The acknowledgment came less than 48 hours after millions of the stolen T-Mobile customer records went up for sale in the cybercrime underground.
In a statement Tuesday evening, T-Mobile said a “highly sophisticated” attack against its network led to the breach of data on millions of customers.
“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” the company wrote in a blog post. “Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.”
Nevertheless, T-Mobile is urging all T-Mobile postpaid customers to proactively change their account PINs by going online into their T-Mobile account or calling customer care at 611. “This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised,” the advisory reads.
It is not clear how many people total may be impacted by this breach. T-Mobile hasn’t yet responded to requests for clarification regarding how many of the 7.8 million current customers may also have been affected by the credit application breach.
The intrusion first came to light on Twitter when the account @und0xxed started tweeting the details, and someone on a cybercrime forum began selling what they claimed were more than 100 million freshly hacked records from T-Mobile. The hackers claimed one of those databases held the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.
T-Mobile said it was also able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed.
“We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed,” T-Mobile said. “We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file.”
T-Mobile said it would pay for two years of identity theft protection services for any affected customers, and that it was offering “an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.” Why it wouldn’t make that extra protection standard for all accounts all the time is not entirely clear.
This stolen data is being actively sold, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.
T-Mobile customers should expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even messages that include the recipient’s compromised account details to make the communications look more legitimate.
Data stolen and exposed in this breach may also be used for identity theft. Credit monitoring and ID theft protection services can help you recover from having your identity stolen, but most will do nothing to stop the ID theft from happening. If you want the maximum control over who should be able to view your credit or grant new lines of credit in your name, then a security freeze is your best option.
If you’re a current T-Mobile customer, by all means change your account PIN as instructed. But regardless of which mobile provider you patronize, consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.
Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.
Are you ready for pishing campaigns?
I hate being pished on!
Especially when they tell me it’s just raining.
“don’t piss in my pocket, and tell me it’s not raining outside.”
Here, let me fix that for you:
*phishing campaigns.
Pishing…
Is what you do in your front yard while watching the birdies not yet poached by the cartel. *psh-psh*
But something tells me…
You already know that. Hm.
why would they have peoples SSN?
Because they applied for credit from T-Mobile, as the story says:
“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,”
That’s past tense. I have the question in the present tense, “why would they _have_?”
Because when your apply for credit, any where, your information including your ssn stays on file. I work for a car dealership. We have the credit application on file for every single person that has applied for credit with us whether they purchased a car or not
I used to work for a company that had car dealers used to run credit reports. We had customer information about every customer whoever came in contact with one of our dealerships. We never deleted the old information no matter how long we had it, it would stay in the system.
what does that mean – “apply for credit” with a cell provider? Sign up for post-paid?
…yes, signing up for post paid is asking the cell company to issue you credit…
…so they have to follow the law as described in FCRA…
They are creditors. They have to be able to issue past due bills to credit reporting agencies, and send out for collection.
Seems like in 2021 there should be a better way to identify me other than keeping my SSN in plain text somewhere for two decades.
I mean, I can watch a Jojo Siwa video on my TV and within seconds banner ads for bows are showing up on my phone. The Internet successfully identifies me with almost zero data, you’d think that smart, big companies like credit bureaus could do the same.
BTW, I’ve been a customer of T-Mobile for a decade and have financed things through them, and T-Mobile has never showed up on my credit report. Maybe I’m just lucky or they are just lame.
I’ve been a T-Mobile customer for over 20 years and it also doesn’t display on my credit report.
…because you paid your bills on time so t-mobile never reported you…
…but t-mobile did the check and eventually the check disappeared and yet they kept your ssn in case you don’t pay – why is anyone surprised by practices that have been in use for decades…
Because the practices are dumb.
None of the three major credit bureaus require SSNs to file reports. You can file a report with name/address and other identifying information.
https://www.experian.com/blogs/ask-experian/accounts-may-be-reported-even-without-social-security-number/
SSNs were designed to be just a unique identifier. Basically like a name, but better because there can only be one person with that number.
Do you care that your full name is in their database, in plaintext? No? Why not?
Because we generally don’t think of a name as a secret. Because a name isn’t so dangerous. Identity theft can’t really happen with just a name.
The problem is that many organizations have abused an identifier, and treated it as a secret used for verifying an identity. Could you imagine the chaos if someone could pretend to be you, just by knowing your full name? THAT was the problem with SSNs.
I think we need to punish lenders for their lack of diligence when allowing identity thieves to impersonate you with only a Full Name, Date of Birth, Home Address, and SSN. There needs to be a lot more required before a lender can issue credit (potentially to the wrong person). If they do get tricked, they should bear some of the cost of repairing credits.
The solution is NOT to just accept SSNs as some kind of secret.
…so a few years ago (like in a lot of years ago) the tax return law (a regulation, but it has the force of law) was changed and the SSN was required on tax returns for dependents – thousands of pets disappeared from tax returns…
…the Fair Credit Reporting Act (FCRA) requires that the credit report be accurate and the credit decision by the merchant or the bank be based on factual information – which in turn requires an id, which became the SSN since it was guaranteed to be unique (ignoring synthetic identity fraud)…
…the merchant/bank must have an id to update the credit report accurately under the FCRA and it’s been that way for literally decades…
Yeah. Thank you.
I am very shocked that so many people don’t understand this. Maybe too many horror stories about SSNs being used for identity theft, so now people think they are supposed to be a secret that should be kept away from everyone, even when they want credit.
A good exemplar of why personal data should be treated like nuclear waste (as per Cory Doctorow, 2008). There’s zero excuse to hold on to 25+ years of customer data.
Other than those pesky government regulations you mean?
Which regulation requires them to keep it 25 years?
Regulations require much less than 25 years of retention… but it is based on last contract.
So if someone becomes a T-Mobile customer in the 1990’s, and still remains a customer, that data from the 90’s will be retained. Not that shocking really.
You mention using a security freeze in the US. What should people do for example in the UK and germany?
All the more reason to buy unlocked phones from the manufacturer and use a MVNO or prepaid service.
We have T-Mob as a family. Within the last couple of weeks, everyone in our household got a spam message via SnapChat promoting a porn site. Each time it said we were found via our phone number.
They don’t need any of your personal information to send that spam.
When you get calls from credit cards companies about your new max-out credit cards – that will be using your stolen ID information.
Yawn. Another day, another “security breach”. SMS has turned phone numbers into de facto identity documents. Yawn. Another day, another identity theft. Other than a security freeze with the big data-brokers-pretending-to-be-credit-agencies, there’s not a damn thing any of us serfs can do about it. Time to bend over. Again.
I have filed FCC complaints against T-Mobile for retaining my credit card information twice. The records (network trouble tickets essentially) are still accessible on the FCC site. The chickens have come home to roost: I had to self-doxx to complain.
Commie run company!
communism is when you don’t update your IT security
How do you do a security freeze?
https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin
Call all three credit bureaus…last time I did it it cost 10 bucks and last a year…
As a former TMobile customer, I am all giddy at the prospect of more “free credit monitoring” which will be the only remedy offered to customers.
Until companies pay huge fines and have to reimburse customers, they will continue to have sloppy security.
…who do think actually pays those big fines?…
…you do in higher rates from the phone companies
Ok, prison terms. “We” will have to cover the costs of their incarceration, fair enough?
But seriously, your argument proves too much — if it were true that any and all financial penalties on businesses found culpable of malfeasance, or crimes ranging all the way up to wrongful deaths of their employees, or killing and/or seriously injuring hapless buyers of dangerous products the business injected into the stream of commerce — if all that money was simply “passed through” to the consumers, with no competing businesses managing to use the higher prices now charged, or smaller item weights or quality defects now used to save costs, to take a larger market share by raising prices less, or offering a better products at similar prices, you would be correct, though. But there are businesses, including new startups, that do that thing.
Corporations and the ultra-wealthy fight and lobby against legislation, and even bribe public officials, to avoid legislation that creates higher tax rates, precisely because they cannot simply “raise prices and pass it on to the consumer, the sub-contractors” etc.
…none of what you said even remotely applies here…
…the credit bureaus exist to serve the companies that use them, not you…
…no one dies in a breach…
…no crime was committed so no one goes to jail…
…now, do the laws need to change, probably, but right now no crime was committed…
T-Mobile uses Okta for identity and access management… so how did this happen and how (in)secure is Okta?
Okta is not a silver bullet that magically secures an entire enterprise. I don’t know how it is implemented at T-Mobile, but I suspect some of the following apply:
1) Not every system uses Okta. In tech years, T-Mobile has been around for a very long time. Legacy systems are typically the last to be updated, if ever.
2) Credentials used for Okta are username/password or token based. These need to be kept secure. Connecting to a database requires credentials – are they in a file in clear-text, just waiting to be harvested by a hacker? It is hard to secure a ‘standalone’ system making calls to other systems: if the credentials are encrypted, you need the key used to encrypt. The encryption key thus needs to be protected and its ‘turtles all the way down’.
3) While Okta stores credentials, usually it’s not the only credential store within a company (think MIcrosoft Active Directory) and Okta is synchronized with these other credential stores. These other holders of usernames/passwords are easier targets.
4) TLS/SSL may not be implemented everywhere in T-Mobile’s systems. TLS/SSL requires certificates which introduces operational complexity to keep them valid and up-to-date. Because of this, it is a common practice to implement secure communications up to a certain point, and then ‘trust’ that the network is secure from then on. Anything, including internal usernames/passwords, are then available in clear-text on that ‘trusted’ network.
5) A big use case for Okta is Multi-factor Authentication (MFA). MFA is a pain which reduces where it is implemented.
All databases with consumer info should be ENCRYPTED! There is no excuse for this!
Databases must be unencrypted to be used. When a hacker gains access, it is usually access to the running database. Encryption helps only if the hackers get an offline backup.
Databases must be unencrypted to be used. When a hacker gains access, it is usually access to the running database.
Encryption helps only if the hackers get an offline backup.
Now there can be encryption of certain columns, tables and/or functions, but again depending on the access the hackers had… it might have had encryption that didn’t matter at all.
Encryption is not a panacea, and in cases like this, might have be completely irrelevant.
Misapplied techniques do not amount to the entire field being “irrelevant” at all.
“…do not amount to the entire field…”
Why did you exaggerate and completely remove context?
I literally prefaced with, “in cases like this”. Very specific use case where encryption “might” have been irrelevant.
It’s never irrelevant. It’s always perhaps misapplied to various ends.
Perhaps your issue, is with the word irrelevant.
If someone says, “T-Mobile had a data breach of their backend database, which should be impossible since I always use HTTPS when logging into the tmobile website”.
Then someone responds, “in this case, transport encryption is irrelevant”.
Would that make sense to you?
It’s actually not irrelevant even in this case where you go around it.
That’s reductive and false.
If an attacker goes around a security control like it’s not even there, I’d call that irrelevant to the attack.
@GregB
I’m the example given, it’s not even a security control that applies. It’s inapplicable. Or to put it in terms that @other-anon doesn’t seem to understand, it’s not relevant (irrelevant).
That doesn’t make it irrelevant at all.
It’s not relevant to one exploit mentioned.
Fleeting focii are not superlatives.
“It’s not relevant to one exploit mentioned”
That makes it irrelevant to the attack which is the topic of discussion.
@Gregory/@other-anon, seems hell bent on using a very broad definition of “irrelevant”, as if calling encryption irrelevant in this specific use case, means the same thing as calling all encryption useless for everything.
Look how quickly @other-anon decided to take it to the extreme, “..the entire field being “irrelevant” at all..”
Maybe English is not your first language, but please learn before you argue.
Cyber Security experts: “Be sure to set up MFA wherever you can.”
Also Cyber Security experts: “Remove your phone number from as many online accounts as you can.”
Thanks, guys.
Also Cyber Security experts: “Set up Strong MFA wherever you can, and phone numbers are not strong MFA”
What is MFA?
Multi Factor Authentication (MFA). Typically
A.) Something you know (PIN, SSN, password, etc.)
B.) Something you have (Phone, USB token, Physical key, etc.)
C.) Something you are (Fingerprint, retinal or face scan, voice, etc.)
Two Factor Authentication (2FA) would require you to present 2 of the 3 above “factors” as credentials
MFA can be 2 or 3 or more “factors”. An online bank account can be logged into using name + password (which you know), but you can add another security factor – which is almost always a SMS text to your phone (which only you have) – or a fingerprint scan using the phone.
I dont have to worry about it because I’m obviously immune. I already have free credit monitoring from the last 17 mega-breaches…
Seriously though – I owned a post-paid T-Mobile account for about a week back in 2002. I cancelled because their coverage was not great at my home. WHY IN THE HELL are my details still on their systems? Its been 20 years! I am SO tired of this irresponsible behavior from service providers and large corporations.
How did you find out if your your personal information is still on their systems?
I dont know about my creds specifically, but they have reported that 1) the breach contained user details going back to the mid-90s, and 2) the breach contained details on people who had just applied for accounts.
While I cant say for sure that my info is out there, it does match the criteria. Even if mine specifically arent in the breach, there are millions who ARE (by T-Mobile’s own admission).
It is inexcusable to retain PII on people who are no longer customers (for years!), then lose it into the wild. Completely inexcusable.
Ah, I see the problem. Maybe Krebs can clarify.
I read that very differently. That (1) and (2) are not describing the same account data.
1 OR 2… rather than 1 AND 2
1) Accounts that are still open in 2020 or 2021, but were opened back in the 1990’s, will still contain details “going back to the mid-90’s”.
2) If people applied for accounts in 2020, they have a data retention policy that requires them to keep those details for a while. I don’t know how long exactly, but when they run your credit history they have to keep records.
I did not read that as those 2 statements referred to the same data elements.
Your data is probably long gone if you haven’t dealt with them since that long ago.
At this point, it might just be more efficient for T-Mobile to buy one of the identity theft protection service companies.
Dear Sir,
The post that’s at the bottom of the scroll titled, ‘Why So Many Top Hackers Hail from Russia’ does not load, flash, or do anything, and the letters in that link header appear slightly larger and bolder than other properly-loading posts. I cut and pasted the link header verbatim, as shown, above. Just an FYI. Thank you.
S.
Tell me one thing that how did you know about the Freeze?
There are multiple past articles about credit freezes here on KOS.
A previous poster already mentioned this one:
https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin
Hopefully a full disclosure will come out one day (yeah, right) that outlines how they were able to offload 100 GB worth of data from an internal network to the ether. It’s not _that_ difficult to detect that kind of activity on a corporate network.
I’m sensing we’ll hear about T-Mobile’s CTO or CSO retiring to spend more time with their family in the coming days.
Here we do not know much about security in the information but you are providing security. What kind of security has he used to keep a lot of data safe?
I saw the “Breaking News” and immediately tried to change my password on my online account. Everytime I hit the submit button I was taken to a page saying “Uh-oh, looks like our lines are crossed, try again later”……WHAT? Tried many times and even tried to hit the contact us button on the site and got an “Oh Snap, something went wrong with a link to “go home” which brought me back to the main page! I clicked the link for the phone number for customer support and got a blank page. So not only do they let someone get all you private and personal and sensitive information, they block you from changing your password to protect yourself from further damage/loss!!! Called the number I located via search because 611 is technical support for the phone, and each time, I have a wait time of over an hour so I go through the motions to have a call back instead. Two days and still waiting for a call back and still can’t get the website to function at changing my password as of 9:00 a.m. PST. What a horrible company!
I have, for the last two days tired to change my PW on the T-mobile website.
I keep getting the following error:
Service Unavailable.
F451 : Uh-oh, it looks like we have our wires crossed. Please try again later.
I had this error happen to me on Sunday when I heard about the breach. What I would advise doing is using the chat support feature within the T-Mobile App to have the agent send you a link to change the password. They will also assist you in changing your PIN and add the account takeover protection to your line/s. In all honesty I do not know how much any of this supposed protection will help us in the future though.
2 days after Brian reported the breach: T-Mobile would not allow me to sign up for their 5G home Internet service without providing BOTH a driver’s license or passport number (pick one) AND a social security number.
I declined, despite their assurance that they “protect” the information.
I don’t agree with the premise that your SSN needs to be in an unencrypted form. T-Mobile rarely needs your SSN. There are several technical solutions … such as storing the SSN in an encrypted format within the database. The record would only be unencrypted within the program when needed.
I received this notice from T-mobile today:
T-Mobile has determined that unauthorized access to some of your personal data has occurred. We have no evidence that your debit/credit card information was compromised. We take the protection of our customers seriously. We are taking actions to protect your T-Mobile account and we recommend that you take action to protect your credit. Read more here: t-mo.co/Protect
We need legislation to require a higher standard of data protection.
Unfortunately, all of the data that was stolen is probably already legally being sold by various companies aggregating this stuff.
I agree about the legislation part. Much is needed to punish poor security practices and incentivize the good.
So database encryption does exist. And in this instance, it may have very well been encrypted. We may never know.
The thing about “hackers”, is they exploit the part you describe as, “only be unencrypted within the program when needed”.
This isn’t a case of someone walked into a datacenter and snatched hard drives from the server racks.
Databases get breached using the normal access methods that would decrypt the database records just as fast/easy as if they were unencrypted.
I think JamminJ is correct that encryption shouldn’t be considered a silver bullet for SSN or, frankly, any piece of “sensitive” data.
A more holistic approach is necessary, certainly one that includes encryption, but also addresses things like:
– How has the data been limited in scope both in terms of accessibility and lifespan? The only entities I can think of that need continuous access to something like SSN are the credit reporting agencies and governments. Not even lenders need continuous access; they just need referential access at the point in the business process where that reference is required. It’s technologically lazy / operationally risky to store sensitive data that only has periodic value to the business, as you suggest above.
– How has the attack surface been minimized during the period of time where the data is “live,” in other words, accessible and utilized? I think encrypting data can often give rise to complacency elsewhere in the tech stack, in other words, “we’re okay because our data is encrypted.” No, you really aren’t.
– Does the data strategy assume the organization has already been compromised? I’ve found it’s often helpful for organizations to turn the telescope around, so to speak, and define their SOP as how they would operate their business in the event of a breach.
“all your tmobile bases belong to us”
been hearing this alot but with different corporations names,
guess as long as major corps make huge profits and can pay
for identity protection, forensics, and cleanup instead of security for customers data
this trend will continue.. “carry on, nothing to see here chap!”
The bad news is that this happened. The good news is that it shouldn’t affect you much, because you should’ve always assumed that all your private information is out there, continually being sold and resold on the dark web. On second thought, perhaps that’s not such good news after all, but it’s sadly quite accurate.
This is going to continue to happen until wer have real federal laws on the books that hold these outfits responsible in a BIG way financially. X charge per customer per day that the breach happened, payable to the customers, NOT some law firm in a class action.
Paying the customers off in “credit monitoring” (frequently provided by outfits that have THEMSELVES been breached) is a joke, and not even a good one at that.
I use a contract-less cellphone provider which I renew monthly if they’re doing OK, and get another if they screw up too often.
As for credit cards, I cut all mine up years ago, and feel _much_ better. At times it’s a nuisance, but it’s better than always having to look over your shoulder.
The Credit Card Consciousness, and the monitoring/reporting agencies that aid and abet them, are the biggest scam of late-stage Big Brother Capitalism in it’s present form. It takes two to play that game. Use cash, checks, PayPal, GooglePay, ApplePay, whatever. Your attack surface will be lessened, and you’ll sleep better.
Afterthought: At some point or another, Data Theft and the grief that comes with it will result in a General Credit Card Strike, where everyone just stops paying their credit cards, period. Think it can’t happen? (chuckles…)
THEN see how fast IT security gets taken seriously!
Can someone please explain to me the most likely way that the hacker got access? Weak password/ lack of MFA? Bribed an insider?
Also, would encryption at the column-level have prevented the hacker from getting SSNs / DLs?
We don’t have all the details, so some of this is conjecture.
It appears they accessed the Oracle host via SSH through a test gateway was left unsecured and exposed to the Internet. If they took the DB directly from the server, then it’s possible that encrypting the SSN/DOB columns would have protected them. However, if the hackers were to somehow have gained access to the client app (which would decrypt the columns), then they might have gotten the data anyway, though not as easily.
As for the login, I’m a little rusty on my *nix, but it looks like they connected via ssh from the test gateway and that the login credentials from the gateway were trusted. Perhaps the test gateway didn’t have MFA and accepted previously phished or easily guessed credentials. Being a misconfigured test device, it’s reasonable to assume it wasn’t particularly secure nor being monitored.
Thank you. Is there any reason for a DB like that to be connected to the internet?
Seems like T-Mo are being pretty disingenuous about what information was compromised. My wife and I are both T-Mo customers.
Here’s the message she got:
Importantly, we have NO information that indicates your SSN, personal financial or payment information, credit/debit card information, account numbers, or account passwords were accessed.
Here’s the message I got:
We have no evidence that your debit/credit card information was compromised.
I assume this means that all of the information they didn’t list in my message was compromised? If so they should just tell me that rather than trying to downplay it.
Ridiculous company, this is what, their 3rd breach in as many years? Just had $40,000 cleaned out of an investment account because someone knew my SSN and was able to bypass the phone-number 2FA. Already lawyered up…
once the anger passes, best thing to do is
what senor Krebs declared years ago:
security freeze your credit accounts,
security freeze your loan accounts,
security freeze, security freeze, security freeze.