T-Mobile Data Breach – 54 million Customers Affected

-

 On August 17th, 2021, the mobile communications company T-Mobile uncovered evidence of illegally accessed customer data. Since the discovery, reports have only gotten worse for T-Mobile with over 54 million customers’ data being exposed as a result of the cyberattack. The information was first seen being sold last week on a popular forum for criminal activity for six bitcoins (about $280,000 USD). The data being sold could contain data for about 100 million customers.  

 

This data includes: 

  • Birth dates 
  • Driver’s licenses 
  • Social security numbers 
  • IMSI (International mobile subscriber identity)  
  • IMEI (International Mobile Equipment Identity) 
  • Phone Numbers 
  • Names 
  • Security PINs 

 

The hacker claims to have compromised T-Mobile's production, staging and development servers over two weeks ago, including a database that contained customer data. "Their entire IMEI history database going back to 2004 was stolen," the threat actor told BleepingComputer. The threat actor provided proof of the compromise to researchers in the form of a screenshot of an SSH connection to a production server. 

 

The threat actors claimed to have performed the hack to damage US infrastructure. "This breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019," the threat actors told Alon Gal, CTO of cybercrime intelligence firm Hudson Rock. "We did it to harm US infrastructure". 

As of today (Aug. 20th, 2021): 

  • 13.1 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information. 
  • 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information. 
  • 667,000 accounts of former T- Mobile customers exposing customer names, phone numbers, addresses and dates of birth compromised.  
  • 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were exposed.  
  • 52,000 names related to current Metro by T-Mobile accounts may have been included. 

It is advised that T-Mobile customers assume that their data was compromised and be vigilant with regard to phishing emails and suspicious SMS texts. Additionally, it may be good measure to change any passwords or PINs to T-Mobile accounts and devices. 


Relevant articles:

https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation 

https://www.bleepingcomputer.com/news/security/t-mobile-data-breach-just-got-worse-now-at-54-million-customers/ 

Comments

Post a Comment

Popular posts from this blog

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more