Today, T-Mobile’s CEO Mike Sievert said that the hacker behind the carrier’s latest massive data breach brute forced his way through T-Mobile’s network after gaining access to testing environments.
The attacker could not exfiltrate customer financial information, credit card information, debit or other payment information during the incident.
However, T-Mobile says that he stole records belonging to 54.6 million current, former, or prospective customers, containing Social Security numbers, phone numbers, names, addresses, dates of birth, T-Mobile prepaid PINs, and driver license/ID information.
“No ongoing risk to customer data”
“While we are actively coordinating with law enforcement on a criminal investigation, we are unable to disclose too many details,” Sievert said in a statement published earlier today.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”
Sievert added that, following an investigation supported by Mandiant security experts, the company closed the access points used by the hacker to breach T-Mobile’s network.
“We are confident that there is no ongoing risk to customer data from this breach,” the US mobile carrier’s CEO added.
“There is much work to do, and this will take time, and we remain committed to doing our best to ensure those who had information exposed feel informed, supported, and protected by T-Mobile.”
This is the sixth major data breach T-Mobile publicly acknowledged in the past four years:
Hacker makes fun of T-Mobile’s ‘awful’ security
John Erin Binns, a 21-year-old American now living in Turkey, claims to be the one behind this massive breach according to a Wall Street Journal report from Thursday.
After hacking into their Washington state data center, he purportedly gained access to credentials for more than 100 servers on T-Mobile’s network.
According to Binns’ claims, the initial attack vector used to breach the T-Mobile network was an Internet-exposed and unprotected router.
“Their security is awful,” the alleged attacker said. “I was panicking because I had access to something big.”
In his Telegram chat with the WSJ, Binns avoided confirming if he was paid to hack into T-Mobile’s systems or if he sold any of the stolen data to others.
As BleepingComputer reported almost two weeks ago, a threat actor was selling what he claimed to be a database containing the personal info of roughly 100 million T-Mobile customers on a hacking forum.
He also said the attack’s goal was to “retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019.”
Binns sued the FBI, CIA, and Department of Justice in 2020 for being tortured and harassed. He is trying to force the USA to release documents exposing these activities under the Freedom of Information Act.
When asked to confirm Binns’ claims, a T-Mobile spokesperson told BleepingComputer that the company has “nothing to say” outside of what was already publicly shared.
How to protect your data and your T-Mobile account
Any threat actors who got their hands on the information of T-Mobile customers stolen in this incident can use it in highly dangerous SIM swapping attacks that could allow them to take over victims’ online accounts and steal their identity.
All potentially affected customers should be on the lookout for suspicious emails or text messages pretending to come from T-Mobile and not click on any embedded links if they spot one to prevent having their credentials stolen.
T-Mobile encourages customers to take the following actions as soon as possible to protect their accounts:
- Set up Scam Shield: Tap into our network’s advanced scam-blocking protection and turn on anti-scam features such as Scam Block and Caller ID.
Enable Account Takeover Protection: Use our free Account Takeover Protection service to help protect against an unauthorized user fraudulently porting out and stealing your phone number (postpaid only).
Check additional resources for more ways to protect yourself.
Update: Added T-Mobile’s statement on Binns’ claims that he was the one behind the attack.