US mobile phone provider T-Mobile has just admitted to getting hacked, in a filing known as an 8-K that was submitted to the Securities and Exchange Commission (SEC) yesterday, 2023-01-19.
The 8-K form is described by the SEC itself as “the ‘current report’ companies must file […] to announce major events that shareholders should know about.”
These major events include issues such as bankruptcy or receivership (item 1.03), mine safety violations (item 1.04), changes in a organisations’s code of ethics (item 5.05), and a catch-all category, commonly used for reporting IT-related woes, dubbed simply Other Events (item 8.01).
T-Mobile’s Other Event is described as follows:
On January 5, 2023, T-Mobile US […] identified that a bad actor was obtaining data through a single Application Programming Interface (“API”) without authorization. We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time.
In plain English: the crooks found a way in from outside, using simple web-based connections, that allowed them to retrieve private customer information without needing a username or password.
T-Mobile first states the sort of data it thinks attackers didn’t get, which includes payment card details, social security numbers (SSNs), tax numbers, other personal identifiers such as driving licences or government-issued IDs, passwords and PINs, and financial information such as bank account details.
That’s the good news.
The bad news is that the crooks apparently got in way back on 2022-11-25 (ironically, as it happens, Black Friday, the day after US Thanksgiving) and didn’t go away empty-handed.
Plenty of time for plunder
The attackers, it seems, had enough time to extract and make off with at least some personal data for about 37 million users, including both prepaid (pay-as-you-go) and postpaid (billed-in-arrears) customers, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.
Curiously, T-Mobile officially describes this state of affairs with the words:
[T]here is currently no evidence that the bad actor was able to breach or compromise our systems or our network.
Affected customers (and perhaps the relevant regulators) may not agree that 37 million stolen customer records, notably including where you live and your data of birth…
…can be waved aside as neither a breach nor a compromise.
T-Mobile, as you may remember, paid out a whopping $500 million in 2022 to settle a breach that it suffered in 2021, although the data stolen in that incident did include information such as SSNs and driving licence details.
That sort of personal data generally gives cybercriminals a greater chance of pulling off serious identity thefts, such as taking out loans in your name or masquerading as you to sign some other sort of contract, than if they “only” have your contact details and your date of birth.
What to do?
There’s not much point in suggesting that T-Mobile customers take greater care than usual when trying to spot untrustworthy emails such as phishing scams that seem to “know” they’re T-Mobile users.
After all, scammers don’t need to know which mobile phone company you’re with in order to guess that you probably use one of the major providers, and to phish you anyway.
Simply put, if there any new anti-phishing precautions you decide to take specifically because of this breach, we’re happy to hear it…
…but those precautions are behaviours you might as well adopt anyway.
So, we’ll repeat our usual advice, which is worth following whether you’re a T-Mobile customer or not:
- Don’t click “helpful” links in emails or other messages. Learn in advance how to navigate to the official login pages of all the online services you use. (Yes, that includes social networks!) If you already know the right URL to use, you never need to rely on links that might have been supplied by a scammers, whether in emails, text messages, or voice calls.
- Think before you click. It’s not always easy to spot scam links, not least because even legitimate services often use dozens of different website names. But at least some, if not many, scams include the sort of mistakes that a genuine company typically wouldn’t make. As we suggest in Point 1 above, try to avoid clicking through at all, but if you do, don’t be in a hurry. The only thing worse that falling for a scam is realising afterwards that, if only you’d taken a few extra seconds to stop and think, you’d have spotted the treachery easily.
- Report suspicious emails to your work IT team. Even if you’re a small business, make sure all your staff know where to submit treacherous email samples or to report suspicious phone calls (for example, you could set up a company-wide email address such as
firstname.lastname@example.org). Crooks rarely send just one phishing email to one employee, and they rarely give up if their first attempt fails. The sooner someone raises the alarm, the sooner you can warn everyone else.
Short of time or expertise to take care of cybersecurity threat response? Worried that cybersecurity will end up distracting you from all the other things you need to do? Not sure how to respond to security reports from employees who are genuinely keen to help?
Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response ▶
3 comments on “T-Mobile admits to 37,000,000 customer records stolen by “bad actor””
“There’s not much point in suggesting that T-Mobile customers take greater care than usual when trying to spot untrustworthy emails such as phishing scams that seem to ‘know’ they’re T-Mobile users.”
The last two or three weeks have seen a HUGE upsurge in phishing for credentials for Yahoo accounts as well as the others they host (Prodigy, AOL, Pacbell, AT&T, Bellsouth, etc.).
It sure seems like a lot of email accounts have appeared available, but Yahoo has made no announcement.
Interestingly, the list or hackers don’t seem to distinguish between the domains. Bellsouth users have gotten phishing emails for Yahoo and Pacbell, etc.
The biggest annoyance is that the phishing landing sites always seem to be hosted by Weebly or Square. These two don’t seem to do any screening at all.
So not as bad as the Optus breach in terms of scope of information downloaded, but sharing poor API security as the vector for compromise?
Yeah sounds like a pretty similar situation for the most part. Not as much personal information but more users effected.