January 19, 2023

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

Image: customink.com

In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a “bad actor” abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.

APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.

T-Mobile said it first learned of the incident on Jan. 5, 2023, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022. The company says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver’s license or other government ID numbers were exposed.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.

In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.

“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the filing reads. “We have made substantial progress to date, and protecting our customers’ data remains a top priority.”

Despite this being the second major customer data spill in as many years, T-Mobile told the SEC the company does not expect this latest breach to have a material impact on its operations.

While that may seem like a daring thing to say in a data breach disclosure affecting a significant portion of your active customer base, consider that T-Mobile reported revenues of nearly $20 billion in the third quarter of 2022 alone. In that context, a few hundred million dollars every couple of years to make the class action lawyers go away is a drop in the bucket.

The settlement related to the 2021 breach says T-Mobile will make $350 million available to customers who file a claim. But here’s the catch: If you were affected by that 2021 breach and you haven’t filed a claim yet, please know that you have only three more days to do that.

If you were a T-Mobile customer affected by the 2021 incident, it is likely that T-Mobile has already made several efforts to notify you of your eligibility to file a claim, which includes a payout of at least $25, with the possibility of more for those who can document direct costs associated with the breach. OpenClassActions.com says the filing deadline is Jan. 23, 2023.

“If you opt for a cash payment you will receive an estimated $25.00,” the site explains. “If you reside in California, you will receive an estimated $100.00. Out of pocket losses can be reimbursed for up to $25,000.00. The amount that you claim from T-Mobile will be determined by the class action administrator based on how many people file a legitimate and timely claim form.”

There are currently no signs that hackers are selling this latest data haul from T-Mobile, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.

T-Mobile customers should fully expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even send messages that include the recipient’s compromised account details to make the communications look more legitimate.

Data stolen and exposed in this breach may also be used for identity theft. Credit monitoring and ID theft protection services can help you recover from having your identity stolen, but most will do nothing to stop the ID theft from happening. If you want the maximum control over who should be able to view your credit or grant new lines of credit in your name, then a security freeze is your best option.

Regardless of which mobile provider you patronize, please consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.


48 thoughts on “New T-Mobile Breach Affects 37 Million Accounts

  1. Lindy

    Looks like the fines are not having an effect…. they’ve been hacked in 2021, 2022 and now in 2023.

    1. Michelle

      I am a tmobile customer just going in to pay my bill to see this notice of a bad actor. Are you kidding me a bad actor??? My account pin was changed another ip gained access on 12/16. So I call they were so kind to waive the 15 dollar fee for changing. Y number which solely inconvenience me with Dr schools and so on. I tell them I want a new Sim and phone because the last month I can hear but nobody can hear me out of the blue explains why I’m getting weird messages from people. Not including the 29 a month I am now putting in place to mo it or my credit because the last yr I’ve worked really hard. To be told I’m entitled to an upgrade with a 600 down payment are you kidding me. I have to change my email address all my credit cards. Let me mention my bill is paid every month ahead of time. I am furious this us Not right!!!! This is not our fault!!! I’m sick over this.

      1. LibertadEntVision

        I’ve be affected all three times and they have never mentioned to me nor on prepaid nor contract and recently this last hack breach has been hell and they keep denying it and refusing to fix my credit issues when I have proven the dark web activity and they want to act like $25 for lifetime of misery and constant harassment fraud and not fair is being nice , they are dirty and shysty . As they charge me for fees on more security and they block me out and account prepaid to force me into contract yet lost access to my number and icloud. They deserve to be exposed and held accountable this time for real! I’ve already lost over $3500.00 in client’s contracts and business in past months alone!
        Bs. They understand.,,, sure.

      2. Kimberly

        I’m in the same boat. I’ve had all of this happened and more. I’m not sure what do anymore. I try to talk to someone in the United States but I can’t reach anyone. The store just laughs at me. I was on a joint account, the other party passed away 7 months ago. T mobile has his obituary yet I had to sti pay the his phone. It was stolen by whomever found him in his home after his stroke. Now my bill is more than it was when both are lives were opened and being used. I am on a fixed income. I paid the bill every month. I can get know help. They promise to fix it with every phone call but my bill just gets higher and higher. I’m almost in tears now just talking about. My bill should no more that 65.00 but it’s 119. And change. I can’t afford it. They want his phone back. I didn’t live with him and I don’t know who has it. He’s dead yet I’ve been paying for it. If anybody can help please help.

    2. Michelle

      I am a tmobile customer just going in to pay my bill to see this notice of a bad actor. Are you kidding me a bad actor??? My account pin was changed another ip gained access on 12/16. So I call they were so kind to waive the 15 dollar fee for changing.my number which soley inconvenience me with Dr schools and so on. I tell them I want a new Sim and phone because the last month I can hear but nobody can hear me out of the blue explains why I’m getting weird messages from people. Not including the 29 a month I am now putting in place to monitor my credit because the last yr I’ve worked really hard. To be told I’m entitled to an upgrade with a 600 down payment are you kidding me. I have to change my email address all my credit cards. Let me mention my bill is paid every month ahead of time. I am furious this is Not right!!!! This is not our fault!!! I’m sick over this.

    3. MJ

      Not only that, but T-Mobile is saying that this time “no customer payment card data, passwords, Social Security numbers, driver’s license or other government ID numbers were exposed.” Hardly reassuring, since this info was leaked in the previous two massive data breaches. If you realize how much information these people have on us, we’re doomed. Anyone here recommends Sprint? By the way, T-Mobile didn’t notify me of this the third leak in as many years.

  2. Marcus Aurelius Tarkus

    Another major data breach impacting yet another careless, uncaring target-rich enterprise? Ho-hum. This one did not affect me. I have lost count of how many previous such did. Privacy? Dead, dead, dead!!!

    1. clientSurfer

      Come now, Marcus, we can’t just blame anything willy-nilly on the cellular carriers and wireless providers and device vendors and component manufacturers and OS providers and hardware engineering companies and baseband black-boxing companies and system software development companies and application software development companies and retail outlets and wholesale outlets, now can we? I mean we’re their paying customers, for Pete’s sake! They could and would not ever never even dream of doing anything like that to their own paying custo……………… 😐

      Anyway you and I both know very damn well that it’s java. Not java developers. Not Sun and/or Oracle. Not even ne’r-do-wells. Just the java language in and of its own damn accord. Possibly Earthlink too…

      And thanks as always, Cyberhero Krebs, for continuing to do-so-well throwing ne’r-do-wells down the well!

      “You now have one extra little fact to tuck away in the millions of little facts you have to memorize because so many of the programs you depend on are written by dicks and idiots.”
      – P. Welch, ‘Programming Sucks’, “Still Drinking”, Peter Welch, USA, 14 April 2014, https://www.stilldrinking.org/programming-sucks, (accessed 19 January 2023).

      “Bitch!”
      – Jesse Pinkman (by Aaron Paul), “Breaking Bad”, s1e1-s5e16, AMC, 2008-2013. _Netflix_.

    2. Jake

      Hi Marcus.
      you’re right on them been careless, they being through this for about three years straight. the question here is what they’re do to prevent it from happening? let’s sit and wait for 2024. on there other-hand these companies don’t even care.

  3. Mike Jackson

    “Business” as usual for T-Mobile, a company I would NEVER have used since WELL before these “disclosure dates”….meh….

  4. Lesley McLaughlin

    What bearing does this breach have on customers who do business with a 3rd party that uses T-mobile and other carriers? E.g., my phone service is handled by Consumer Cellular, but the actual carrier is T-Mobile, as I understand it.

    1. GV

      I seriously doubt that the breach affects you since you are not actually a T-Mobile customer. The real T-Mobile customer is Consumer Cellular which leases cellular network bandwidth from the company for its own customers.

      I am also a Consumer Cellular customer but I am on the ATT network, the other cell network option. Consumer Cellular provides account protection that requires a 6-number PIN that makes it more difficult for someone else to swap your SIM card or make other changes to your account. CC started offering the option long before the major cell carriers began doing so.

  5. Mike

    The government isn’t issuing large enough fines for these breaches. Behemoths like T-Mobile can easily pay a few hundred million dollars without it impacting their bottom line. Fine them a few billion dollars and watch their cyber security increase in months instead of years.

    1. Robert.Walter

      Until CEO’s, CFO’s and CTO’s all get a day in prison for each breach, escalating to 2 days for second breach, 1 week for 3rd, escalating to years when there is a cover-up, and the companies and management are fined at EU like levels, these breaches will continue.

      1. Rogan Dwyer

        Now you are on the right track!! If the fines were meaningful and dented the value of the company, the board would be held accountable by the shareholders and then watch bad habits change. A paltry $50m D&O policy would not be sufficient to protect the personal assets of the directors even if the insurers did buck the trend and pay up!

    2. Can’t remember

      The fines will never be enough to actually deter any of these consequences as along as we have lawmakers in Congress willing to play the lobbyists’ games & line their pockets with their bribes.

      Regarding the credit freeze: How are we supposed to put on a credit freeze if we can’t even access our own credit report through the agencies because they have erroneous information? I’ve never been able to successfully pass their BS verifications.

    3. Henrik

      “The government isn’t issuing large enough fines for these breaches”

      And they never will.

      It’s a game whereby these multinational corporations have the power of lobbyists in the Swamp to keep Congress, et al, in check (just like the credit reporting agencies).

      1. DD

        And big pharma, and oil companies, and financial institutions and……

      2. Jake

        The government just sit and watch the rich get richer and the poor get poorer.

    4. RG

      They just pay off lawyers and prosecutors.
      A few people get $25. They don’t much care.

  6. Dennis

    They definitely improved their “security” by that $150 million investment – so now instead of leaking “names, dates of birth, Social Security numbers and driver’s license/ID information” they just leaked “customer name, billing address, email, phone number, date of birth, T-Mobile account number”.

    That’s an improvement, T-Mobile! Money well spent!

    1. Chip

      Except – knowing security budgeting as I do – that $$ was never spent. Or very little of it was. One the incident dies down, the $$ goes back into the pot and none spent on security. Until the next one occurs. This is why I document my security budget rejections – if the house burns down it wasn’t due to lack of water…

  7. Robert.Walter

    Morning Brian!

    “The company said it first learned of the incident on Jan. 5, 2022, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022.“

    Should be he Jan 5 date be 2023, not 2022?

  8. Josh Bosky

    Thanks for sharing the site, OpenClassActions.com in your article! I found loads of other data breaches I qualify to get money for!

  9. David Webster

    Hi Brian,

    Today’s piece sent me (re)reading Why Phone Numbers Stink As Identity Proof, March 2019, and Hanging Up on Mobile in the Name of Security, August 2018.

    Do you have updates to the guidance provided in WHAT CAN YOU DO? section in the 2018 piece?

    I have been a reader since the WAPO days. You are force for good in the world. Keep going.

  10. David Hughes

    Why don’t more people use email aliases? Yes, this protects just a single element of the breach, but it is a crucial element of significant scope. Routine use of aliases reduces one’s exposure to credential stuffing attacks, and can have broader advantages, depending upon the specific implementation. I’m curious to hear views about why aliases aren’t used by more people.

    1. Robert.Walter

      To David Hughes:

      I think it’s a lack of awareness of a) the scope of the problem, b) the simplicity of the solution, and c) baring a & b a kind of laziness to go to the trouble to make the changes.

      Me and my family are all in on the suite of solutions built into apple products:
      a) free iCloud Keychain for password generation and management, and TOTP 2FA authenticator codes (If a site suggests “Authy or google authenticator”, it will work with Apple’s built in solution),
      b) free Hide My Email for random iCloud email address generation and management,
      c) 99¢/mo Safari Private Relay for IP address masking.

      Sure, converting from old methods takes some time but it’s not requiring high brainer ability or great technical skill to implement or use.

      And the benefits of anonymity, firewalled compartmentalization, early detection and remediation (as well as a feeling of confidence you have done a good thing for yourself) are worth the time invested.

  11. CH

    I set up my own mail server, and set it so all email addresses at my domain go into my mailbox.
    Then I give out a different email address to every company I deal with: ch-and-t-mobile.com@something.mydomain.com
    If I start getting spam to one of them, I know instantly which company to blame, and I can block that address.

    If you have a Gmail account, you can add ‘+some_tag’ to your address: myname+and-t-mobile@gmail.com
    Additionally, Gmail ignores dots in the username: my.name@gmail.com == m.y.n.a.m.e@gmail.com

    I’m going to start doing this with my billing address too, either by adding a middle name or a box number, or perhaps an “Attention: xxxxx” line, whatever fits and doesn’t cause the mail to be lost.

    1. CH

      Since the information stolen was “customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.”, it would be good to change as many of those as you feel you have time for:

      Customer name: add a bogus middle name
      Billing address: add a box number
      Email: see above
      Date of birth: do they need your real date of birth, or would any date do?
      Account number and plan features: could be done

      Then if someone calls you up and refers to the old information, you instantly know it’s a scam.

      Make sure to write down what you gave them, just in case they end up using it to confirm who you are when you call. Finally, a use for 3×5 index cards! 🙂

      Cheers

      1. Robert.Walter

        What you are suggesting was leading edge a decade ago, state of the art 5 years ago but is cumbersome and obsolete nowadays.

        I did all the things you suggest for myself and family members. It was good for its time but the benefits were meager and the time and administrative burden was significant, enormous even. In 2021 I junked it all for Hide My Email and have never been happier with my risk footprint.

        As for notes, you can keep them in the notes section in either iCloud Keychain password index or the Hide My Email address index (I prefer the p/w notes section). I keep a shorthand of phone number, address, birthday there as well as bogus answers to challenge questions, recovery keys, one time codes, etc. (I use pseudonyms and a consistent fake birthday for nonessential accounts.)

      2. wesley

        If you are a postpaid customer for any of the mobile carriers they will have your DOB from running a credit check on you when signing up. Yet another advantage to using a prepaid carrier if you find one that fits your needs instead since they all use either ATT, VZW or Tmobile in the end.

    2. Robert.Walter

      Hi CH,
      one doesn’t need their own server or domain to achieve this if they are using Apple gear.

      As I explained to Mr Hughes Apple makes this easy for everybody who is willing to take a bit of time to get organized.

      Apple’s Hide My Email has an own domain feature built into it so all the functionality it provides is available for folks like you. It should be noted that a custom domain compromises anonymity though as it’s not nearly as anonymous as iCloud dot com for a domain.

      Also, the Gmail approach is too spotty to be useful as many many sites reject the +suffix syntax.

      Further a) it’s a hassle keeping a log of what suffix you assigned to what domain, b) anonymity takes a hit with this method too when everything before the + is the same. The gmail +suffix method is only good for early detection via spam. It doesn’t prevent profiling.

      I did lots of the gmail+suffix solution about 5 years ago and was so happy to move to hide my email as it has so many more benefits and so little administrative burden.

    3. D4ni

      Thank u for ur post n the great info. I appreciate it very much after everything I lost due to Tmobile data breach of 2023. I’m a nurse and I rely on my cell phone for everything. I was forced to leave a job I loved due to this breach. Now I know what to do with my new phone (and carrier)! Thank u thank u!

  12. Anthony McAnelly

    I joined a legal group that has refused the small payment T Mobile offered. Our legal pros are demanding more due to the breach. Id rather take a chance losing 25 bucks toward a chance of getting 750 to a 1000 bucks in settlement.

  13. ronw

    “The amount available to customers who file a claim will be $x.”

    Where “x” should be the cash value of the total compensation including bonuses paid to all C-Level executives in the 5 years preceding the year of the breach.

  14. Angelika

    I was one of those robbed. my 10-year-old phone number was stolen without my knowledge in 2021. I just received a text message that your request to change provider has been accepted. when i called the campaign, they said they don’t know anything about it and they don’t know who has my number i moved to crickiet.

    -angelikakasia6

  15. Grumpy

    splendid – just got a ping from Discover that my SSN was found on dark web due to TMO breach from 2021. “Notify SSA about this” is the advice. The only useful suggestion on SSA.gov is to block all e-actions and put a block on the number – BUT if you need to access to it at any time later you have to go to local office. What a wonderful solution!!!! We are going to help you in distress by making your life 10 times more difficult.

  16. BJ

    As T-Mobile service has vanished from Sedona & Cottonwood (AZ) as of the 18th of January (2023) and remains out four days later, maybe their IT people are too busy with the data breach issue to do the maintenance necessary to keep the damn network up and running.

    (Spoke with two T-Mobile people – from somewhere in Asia I think – who sounded concerned but, y’know, the service is still down.)

  17. Mat

    Just take a look at the qualifications of these cybersecurity executives including CISO. Anyone who can talk some buzzwords with connections can become a CISO who never had any type of formal security engineering background. It’s like getting heart transplant from an attorney who could speak surgeon buzz words!

    Things will only get worse because most of these engineering jobs have been outsourced to cheap labor countries for long time now. People in the US are just some sales/marketing type support roles in many organizations. You think these CISOs have any clue on their own software security?

  18. Holden Gatsby

    The use of birth dates as a personal identifier is no improvement over using socials, especially with PHI data. My name and birth date are all I’m asked for for identification when calling my medical providers. There needs to be some real world penalties, not slaps on the wrist for these lousy custodians of our PI.

  19. Troy Frericks

    Google Fi, a T-Mobile reseller, just notified me “that the primary network provider [T-Mobile] for Google Fi recently informed us there has been suspicious activity relating to a third party system that contains a limited amount of Google Fi customer data.”

    My guess it’s related, albeit belated.

Comments are closed.