Communications giant T-Mobile said today it is investigating the extent of a breach that hackers claim has exposed sensitive personal data on 100 million T-Mobile USA customers, in many cases including the name, Social Security number, address, date of birth, phone number, security PINs and details that uniquely identify each customer’s mobile device.
On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data,” but said it was too soon in its investigation to know what was stolen and how many customers might be affected.
“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile wrote.
“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the statement continued. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”
The intrusion came to light on Twitter when the account @und0xxed started tweeting the details. Reached via direct message, Und0xxed said they were not involved in stealing the databases but was instead in charge of finding buyers for the stolen T-Mobile customer data.
Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes.
They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.
The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number.
“If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”
Other databases allegedly accessed by the intruders included one for prepaid accounts, which had far fewer details about customers.
“Prepaid customers usually are just phone number and IMEI and IMSI,” Und0xxed said. “Also, the collection of databases includes historical entries, and many phone numbers have 10 or 20 IMEIs attached to them over the years, and the service dates are provided. There’s also a database that includes credit card numbers with six digits of the cards obfuscated.” Continue reading