August 16, 2021

Communications giant T-Mobile said today it is investigating the extent of a breach that hackers claim has exposed sensitive personal data on 100 million T-Mobile USA customers, in many cases including the name, Social Security number, address, date of birth, phone number, security PINs and details that uniquely identify each customer’s mobile device.

On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data,” but said it was too soon in its investigation to know what was stolen and how many customers might be affected.

A sales thread tied to the allegedly stolen T-Mobile customer data.

“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile wrote.

“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the statement continued. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”

The intrusion came to light on Twitter when the account @und0xxed started tweeting the details. Reached via direct message, Und0xxed said they were not involved in stealing the databases but was instead in charge of finding buyers for the stolen T-Mobile customer data.

Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes.

They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.

The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number.

“If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”

Other databases allegedly accessed by the intruders included one for prepaid accounts, which had far fewer details about customers.

“Prepaid customers usually are just phone number and IMEI and IMSI,” Und0xxed said. “Also, the collection of databases includes historical entries, and many phone numbers have 10 or 20 IMEIs attached to them over the years, and the service dates are provided. There’s also a database that includes credit card numbers with six digits of the cards obfuscated.”

T-Mobile declined to comment beyond what the company said in its blog post today.

In 2015, a computer breach at big three credit bureau Experian exposed the Social Security numbers and other data on 15 million people who applied for financing from T-Mobile.

Like other mobile providers, T-Mobile is locked in a constant battle with scammers who target its own employees in SIM swapping attacks and other techniques to wrest control over employee accounts that can provide backdoor access to customer data. In at least one case, retail store employees were complicit in the account takeovers.

WHO HACKED T-MOBILE?

The Twitter profile for the account @Und0xxed includes a shout out to @IntelSecrets, the Twitter account of a fairly elusive hacker who also has gone by the handles IRDev and V0rtex. Asked if @IntelSecrets was involved in the T-Mobile intrusion, @und0xxed confirmed that it was.

The IntelSecrets nicknames correspond to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted. Like Kenny “NexusZeta” Schuchmann, who pleaded guilty in 2019 to operating the Satori botnet. Two other young men have been charged in connection with Satori — but not IntelSecrets.

How do we know all this about IntelSecrets/IRDev/V0rtex? That identity has acknowledged as much in a series of bizarre lawsuits filed by a person who claims their real name is John Erin Binns. The same Binns identity operates the website intelsecrets[.]su. 

On that site, Binns claims he fled to Germany and Turkey to evade prosecution in the Satori case, only to be kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his alleged capture and torture by the Turks.

Since then, Binns has filed a flood of lawsuits naming various federal agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA.

Speaking to the researcher Alon Gal (@underthebreach), the hackers responsible for the T-Mobile intrusion said they did it to “retaliate against the US for the kidnapping and torture of John Erin Binns in Germany by the CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure.”

Update, Aug. 18, 9:15 a.m. ET: In a blog post Monday evening, T-Mobile acknowledged that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers.


93 thoughts on “T-Mobile Investigating Claims of Massive Data Breach

  1. curve22

    Why are they storing SSN in plaintext? Do those silly PCI related checkbox requirements not cover it? I know TMob has a stellar track record with security related incidents.

    At this point anything you input into a site is not to trusted. It’ll eventually get leaked/exposed.

    1. Stof

      Like any compliance so-called ‘attestations’ the faux independent has bias motivations to make the customer happy for ongoing engagements and revenue. PCI DSS is no exception, therefore the QSA reports are as good as ‘trust us’ by an employee or business partner of the subject organisation..
      No offence to any QSA, you clearly know that your employer has at least once, likely now an unspoken rule, made an omission or removed something unwanted from a ROC due to the ‘customer’ (ergo not subject) asking..

    2. Jose Ortiz

      PCI pertains to credit card information. SSNs are not as important (in PCI terms) as credit card information.

      1. johnnyBgood

        Even though, in reality, SSNs are a LOT more critical to secure. *facepalm*

        I think the scariest, most horrifying fact is that Tmobile might have never even known they were hacked, had the perp not attempted to sell the data.

      2. Jackie medlock

        Can you please explain to me what is going on?? In a 60 year old disabled female living on a fixed social security income. The amount I receive is considered living below the poverty levels and over the last months my account has been drained , different amounts, but yet my statements show no ATM withdrawals.. .AND IM EXPERIENCING OTHER ISSUES

    3. JamminJ

      Short numeric-only secrets like SSN and PINs, are often stored in plaintext because hashing doesn’t really help with security.

      A rainbow table would be tiny. And even if not precomputed, iterating with brute force can be done in seconds.

        1. Brian

          You can’t hash and/or salt information that you have to be able to retrieve. You can only use a reversible encryption method.

          1. Jake

            I don’t think there is any legitimate business need for a carrier to store SSN after the initial credit check to issue a postpaid account. And even then they didn’t really need to store it to make that business process work.

            1. JamminJ

              There’s a credit check. But also, credit reporting for those who stop paying their bill. Could you imagine the chaos if carriers were to purge SSNs from all databases? I know a lot of people who would take advantage of that system, where a creditor could no longer send to collection agencies or ruin a person’s credit because they decided to not pay their bills. I suppose they could just adopt a policy of no credit reporting, and just eat the cost of unpaid bills.

              But do we really want that kind of system? Where the people who pay their bills on time, have to pay more to cover the people who don’t pay their bills and won’t even get hit on their credit score or get a call from collectors?

              1. other-Anon

                ALL of that can be outsourced to credit agencies in fact.

                1. JamminJ

                  So what unique identifier will they use to outsource to a third party?

                  1. MattyJ

                    Some kind of, oh I don’t know, token, that has no other meaning?

                    Or literally anything else aside from a SSN which can be used to do all kinds of nefarious things?

          2. somedude

            why would you need to decrypt the PIN ever? If you are trying to match the PIN then a one way hash will work and you do not have to worry about anyone getting the PIN in case you are hacked

            1. JamminJ

              Passwords and PINs indeed CAN be hashed when stored.

              Passwords are arbitrary, long and complex (hopefully). So storing as hashes makes it secure. Creating a rainbow table or cracking the hashes can take a long time when users choose strong passwords.

              PINs with 4 numeric digits contains only 10,000 possible combinations. No hashing algorithm stands a chance. They can be cracked in within fractions of a second.
              PIN security is only possible if it can be rate limited (online attack).
              For offline attacks (dumping the database) when it would matter if stored hashed, encrypted or plaintext, the are no rate limits, salts and decryption secrets are dumped as well.

              SSNs and DL#s need to be retrieved by their backend services as they are creditors with a continuous need and in case overdue bills need to be sent for collection and the credit reporting agencies.

              1. other-Anon

                Your understanding of how rainbow tables work is comedy.

                1. JamminJ

                  Care to offer your understanding?
                  It’s easy to just be a naysayer and contrarian, but when you have to actually explain your thoughts, people can see if you know anything.

                  1. other-Anon

                    I’m not being paid to offer my understanding.
                    We can see you think you know everything already.

                    1. mealy

                      Other-anon you’re being a troll. Don’t bother commenting then if you are not contributing

                    2. mealy

                      “Gregory” up to his old tricks again, @JamminJobber.

    4. Blacksanic

      No the “silly PCI requirements” are a joke.

      They check if your “PCI environment is secure” and seem to just ignore all other structured and unstructred data.

    5. gh0stface

      Stellar track record!? Umm… This is their 4th breach in 3 years….

      1. Richard Turnbull

        Stellar track record in the dystopian contest to get their data hacked — read the original post again and “hear the irony,” although I guess this is a variant of Poe’s Law.

    6. BB

      What is the most likely way that the intruder got access? Weak password, no 2FA? To those who say encryption wouldn’t have mattered, what about column-level encryption on SSN?

      1. Brian

        It depends on two things. How the hackers obtained access, and what kind of access controls were in place.
        Column or Table level encryption on a database could protect from someone stealing an entire offline backup database, as well as protect from stolen credentials from a lower level employee that would not have access to that data.

        From what I understand, this hack had significant privileges and system level access. So all decryption keys were available to the hackers. Role based access control is great, and definitely a good thing to combine with column or table level encryption.
        But when you hear about a major breach in which an entire database is stolen by hackers with system level permission,… That’s usually the ball game.

      2. BIO-key.com

        This article indicates that there was SIM swapping and some instances of T-Mobile admin account handover.

        This blind spot in mainstream MFA is what identity-bound biometrics is designed to prevent. Too much control is in the hands of individual users to delegate or share access to critical accounts.

  2. BillT

    Based on information this article and other public information (like the ssh session to an Oracle host), it seems likely that large amounts of sensitive data was breached. Very sloppy T-mobile. If I’m not mistaken, this is their 4th or 5th significant breach in the last few years. And I’m guessing their consumer contracts preclude any sort of lawsuits and instead force arbitration.
    T-Mobile should be forced to purchase 5 years of credit monitoring for all affected, provide significant discounts for new devices, and replace SIM cards for free. They also need to have a credible 3rd party approve and monitor their security practices.
    No organization is hack-proof, but their track record is simply atrocious.

    1. Quid

      Those seem like legit class action lawsuit settlement conditions to go after.

      Maybe Erin Brockovich should start specializing in these massive breaches and make these big firms suffer in the media as well as change their evil ways (Sins of Omission).

      1. Richard Turnbull

        Maybe global heating and environmental catastrophes seem more important to Brackovich, but someone else could try.

    2. Kory

      This has been ongoing. I purchased two SIM cards and they sent my IMSI and IMEI by way of a company named synuniverse in the email header. That hole was already there and after the swap my phone was hijacked and bank account attempted to be accessed online / I do not use online banking but the bank and T-Mobile are right next to one another. I still have the emails and filed them with law enforcement. Synuniverse said to send a note to T-Mobile privacy with the data but I never heard back. This was in February and the same timeframe someone took money from my bank account by way of pretending to be bank employees sitting remotely.

  3. Sharon

    Anyone else thinkin what I’m thinkin?? TIME TO GET A NEW CARRIER!! THIS has happened too many times for me. What’s sad is t mobile never let’s us know u hear about it from media

    1. unknown-knowns

      To be fair that’s probably how they found out too. CEO full spit take watching the news.

    2. Tom West

      They’re keeping former customer data, so switching doesn’t help…

  4. Concerned

    I had used T-Mobile back in the 1990s…and that info was still in their system? Why the heck did they need to keep that info on past customers 30 years ago? Data privacy groups are going to love this one…

    1. Harsh

      Not defending them. But Federal Regulators require carriers to store information of customers for a specific amount of time. But they are not allowed to touch any of the information. Still, 30 years seems like a long duration.

  5. Mickey

    A lot of very poor people have T-Mobile as their carrier thru the government free phone program. Yes, I know a lot of people don’t deserve the free phones, but many do, and if what little credit they may have could be affected by another hacking SOB, then I feel sorry for them. In many states, there is only one provider for the government free phone program, and it just happens to be T-Mobile.

  6. John E Pinkard

    I switched from Verizon to Tmobile 2 months ago. Does anyone know how recent this data is? I am hoping that it was earlier than when I joined.

    1. Robert.Walter

      Given T-mobile’s breach record, if you’re not affected by this one, they’ll get you the next time around. Haha. Ps if you haven’t already, it would be a good time to lock down your credit.

  7. Lorie

    Unfortunately, we have gotten to a point where you should just assume your information has been compromised! My data has been compromised by AT&T, Anthem BC/BS, Capitol One, Equifax, and now TMobile. IMHO the penalties for these companies is not severe enough to make them care. They continue on and the customer spends the rest of their life proving they are who they say they are!!! By the way don’t forget to notify theIRS and have your tax filing locked.

  8. Lou

    I just tried changing my password and the system failed when I tried. I am assuming it is too busy.

  9. Mike

    @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”

    I’m really curious about this. I have been a Sprint customer since 2012 or so. Earlier this year, however, I got talked by T-Mobile into swapping my SIM card from Sprint to T-Mobile. Does this now mean I’m part of the group potentially affected by this or am I still lumped into Sprint, which apparently isn’t affected?

    These tech breaches are starting to cause me to pull my hair out.

    1. SomeRandomDude

      No, swapping your sim just allows your phone onto the T-Mo network, your still in the sprint billing system which wasn’t breached unless you also fully migrated your account. I work for sprint now T-mo so I can attest to this 100%. I too have swapped my sim but my account hasn’t migrated yet.

    2. und0xxed

      You’re affected in the breach if you’re using a T-Mobile SIM.

    3. Been Through This Crap Too Many Times

      I’m Sprint and received an alert from TMo that my account was compromised.

  10. James Hyde

    There should be no operational reason to store the drivers license or SSN, just re-verify if needed. Storing the drivers license didn’t prevent someone from simjacking my account anyway at a store (or reseller affiliate of TMobile).

    1. JamminJ

      Mobile carriers are creditors.

      Unless you are prepaid, most carrier plans are like most utilities, the customer can rack up a lot of charges before the bill comes due.
      So they do have to retain the data necessary to update your credit report as any creditor would.

      They need to keep record of unique identifiers like DL and SSN, otherwise people would just rack up enormous bills, then bounce around from carrier to carrier and open new accounts whenever the bill comes.

        1. nobody

          Yeah that’s the reality of how credit works. What’s nonsense is that people still don’t understand any of it and wear that ignorance like a badge.

          1. other-Anon

            It’s not a credit operation which has specific criteria. It’s a bill. It can be disputed.
            The problem is the EULA when you sign up.

            1. JamminJ

              Yes bills can be disputed. But what happens if a bill is not disputed, and just ignored? For months? For years?

              Do you expect creditors like mobile phone carriers to eat the cost of an overdue balance? Should all the fiscally responsible people, who do pay their bills, have to pay more to cover the losses?

              If creditors can’t keep SSNs or any useful PII, then they cannot give credit.

              1. other-Anon

                They don’t need to personally keep them on live accessible storage.
                False.

                1. nuh-uh

                  Yes they do. Have you ever actually had a job? For a large business?

                  1. other-anon

                    No. They do not need to. They made a business decision.
                    Is Experian a large enough business? Tmobile? Yahoo?
                    Appeal to inertia and quo fails. Plaintext PII? No excuses.
                    I won’t guess how many hamburgers your operation served,
                    but to my view that’s not really the only consideration.

                    1. mealy

                      You’re a liar. You haven’t made a single comment that would reflect any knowledge of cyber security. You just parrot a layman’s understanding. We’ve got real cyber security professionals like JamminJ commenting here, trying to explain why things are so fckdup, and you’re just spreading your ignorance because you like to argue with him.

                    2. Gregory

                      Hi, my name is Gregory AKA JamminJ.
                      I like to impersonate people who disagree.
                      That’s all.

      1. Jake

        True, they are creditors, but it’s not correct to say they need to persist data like DL and SSN. That doesn’t logically follow. It’s more correct to say that they need a way to associate and report on bad acts with an individual, across an indeterminate period of time, so they don’t extend bad credit that that individual twice. Then a well developed data security strategy would help them answer the question, “How do we fulfill that business process/need without persisting sensitive data given the size of our attack surface?”

        This is a similar pattern to a subscription biller saying “I need to bill you monthly, therefore I need unrestricted access to your payment information.” No, they don’t. That problem has been solved. A conscientious data and business process architecture could have solved this problem too.

        1. JamminJ

          Yeah, that’s what a unique identifier does. But guess what. That’s the definition of PII (personally identifiable information).
          Data elements like SSN and DL are used for this exact purpose. Like it or not, the SSN is the primary identifier that associates an individual to a credit history.

        2. Jammin J

          Yes, it IS correct to say they need persistent data like DL and SSN. Long before KYC was more regulated like it is now. It does follow logically, although not very intuitive unless you’re in one of many industries.
          This is a similar pattern to a subscription biller saying “I need to bill you monthly, therefore I need to keep a credit card on file.” Not unrestricted full access. That’s a wild exaggeration. A SSN is a single unique identifier that is needed to extend credit month to month. We may not like it given how people now treat it like a password, but that’s the reality.

          1. Jake

            No, not correct.

            They do not *need* DL and SSN. That is myopic.

            What they *need* is a way to manage credit risk and discern changes to that credit risk for current or prospective customers.

            I might forgive a technologist for concluding “I need to perform credit reporting, therefore I need persistent direct access to DL and SSN.” But it’s frankly a myopic view of the range of solutions to the actual business problem.

            Somewhere in that risk management business process, *someone* may need DL and SSN. Like a credit reporting agency, who already has that data. But all the carrier needs is a way to make reference to it at the specific point in the process where that reference matters. It doesn’t need to be some kind of poor man’s primary key that allows them to SELECT * FROM VERY_SENSITIVE_DATABASE WHERE CUSTOMER_SSN = ‘123456789’.

            The recurring biller / credit card analogy is absolutely apt. For a recurring biller, a card PAN “is a single unique identifier that is needed to extend services month to month.” Your words precisely with only a single modified word. They stay out of scope by working with token vaults that are purpose built to BE attacked. Their technology mission is to minimize attack surface and be a deliberate target for the black hats. I’ll lay you odds that is nowhere in T-Mobile’s strategy. Why would it be? It isn’t their business mission. So perhaps they should work with entities that make it theirs.

            1. JamminJ

              Not sure what to say. This is the standard way creditors keep data.
              Utility companies and mobile phone carriers all do this.
              There is no other practical way than to keep SSNs on file. Yes, encryption is used, but it has to be reversible. Any full breach of the database, will usually reveal the data.

              They keep your SSN in case you don’t pay. Why is anyone surprised by practices that have been in use for decades? The identifying number that CRAs and Collectors NEED, is the SSN. A token or any other layer of abstraction is just security through obscurity.

              I wish it was a more robust system too. But then interoperability would be crazy.
              Sorry you feel this way, but this is how the sausage is made. This is how credit works. Don’t like it? Use only pre-paid phones and figure out how to prepay utilities too.

              1. other_Anon

                You are myopic. What you call “the standard way” fails.
                “But then interoperability would be crazy.” Is not a fact.
                Standards can change.

                1. Greg

                  It’s not myopic. It’s reality. Ignorance is not excuse. Instead of being ignorant and surprised after every breach, if you wanted to understand the problem, then you could find better solutions.
                  JamminJ is correct. The problem is not plaintext social security numbers, is that people treat it like secret numbers.

                  1. other_Anon

                    Both are problems. One is locally solvable.
                    You’re wrong for making that an either-or.

        3. JamminJ

          Yes, it IS correct to say they need persistent data like DL and SSN. Long before KYC was more regulated like it is now. It does follow logically, although not very intuitive unless you’re in one of many industries.

        4. JamminJ

          This is a similar pattern to a subscription biller saying “I need to bill you monthly, therefore I need to keep a credit card on file.” Not unrestricted full access. That’s a wild exaggeration. A SSN is a single unique identifier that is needed to extend credit month to month. We may not like it given how people now treat it like a password, but that’s the reality.

        5. JamminJ

          This is a similar pattern to a subscription biller saying “I need to bill you monthly, therefore I need to keep a credit card on file.” Not unrestricted full access. That’s a wild exaggeration.

        6. JamminJ

          A single unique identifier attached to an individual’s credit history is needed to extend credit month to month. We may not like it given how people now treat it like a password, but that’s the reality.

        7. JamminJ

          We may not like it given how people now treat it like a password, but the reality is that a single unique identifier attached to an individual’s credit history is needed to extend credit month to month.
          The solution is not to ask, why have social security numbers, rather to protect them better.

  11. Peter J.

    I hope that this makes them change their security code policy/process.
    Currently, when the associate pulls up your account, it shows them the code rather than requiring they enter it.
    This is, obviously, a very bad idea.

  12. Paul Mikol

    All the carriers are f’d: T-mobile, Verizon, Comcast. AT&T, Spectrum, Sprint, Cricket, Time Warner, etc.

    Bunch of hoes

  13. Kathy Aguilar

    This is exactly what happen to me they I have proof that I been getting hacked and messed with by unknown business all through metro pcs, Samsung, Verizon, sprint and t- mobile where do I go file a complaint or where can a file a complaint or im not sure what to do. I’m overly concerned and I’m to the point to where I can’t even log into any emails or get my DNA results. These hackers went as far as claiming my dna results and my blood.

  14. diddy

    My Metro Pcs by Tmobile was hacked. My phone stoped working and they got into my email, also.they took money and crypto from my accounts. Does anyone know any attorney who I could contact?

    1. Richard Turnbull

      Try searching “attorneys near me who specialize in identity theft” and go from there.

  15. Richard Turnbull

    Stellar track record in the dystopian contest to get their data hacked — read the original post again and “hear the irony,” although I guess this is a variant of Poe’s Law. It’s a constant danger with irony, too.

  16. Jennifer

    P went to a tmobile store when I got a call from supposedly t mobile and store traced it and employee actually told me untruth…said it was t mobile…and when I continued to press the question…I find out it wasn’t…so they knew my information was vulnerable and then treat me bad…because I got p o d at them. Said their phones can’t get hacked. HA.

  17. Tom West

    “…going back to the mid-1990s.”
    T-Mobile should not be retaining former customer’s data for that long in the first place. There’s no need for them to have info on customers who left them 20+ years ago.

  18. Alfredo

    What remedies are they putting in place, or how do they plan to compensate subscribers? Monitoring fees on the three credit bureaus, at least?

  19. Brad Larkin

    We need to have fast, fixed financial penalties for data breaches that do not require extended litigation. TMobile Earnings last quarter were $ 936 million or $ 0.78 per share. Earnings, not revenue. In the Quarter, not year. For the last 4 quarters, they earned a total of $3.12 per share.
    Hacker is only asking for 6 bitcoin. TMobile should just negotiate to buy it back exclusively for 60 bitcoin and pay each affected individual (30 million unique SSNs) $ 100 each. That whole total would come to total information technology dunce penalty of $ 2.50 per share ~ less than a full year’s earnings. Then maybe the (new) executives would start prioritizing and executing good security.

  20. Falcon

    Thanks for the news. But now I am wondering what the heck do I do to prevent this from happening in the future?
    If I leave T-Mobile or go pre-paid, they can still hold all of my info and it will get breached again and again because they obviously don’t care. The 2 years of credit monitoring that is usually offered is like offering pennies.

    Can I leave and demand that they delete all my personal info? (https://www.t-mobile.com/privacy-center/take-control-of-your-data).

    Serious question, what can be done?

    1. Peter Sichel

      Protecting personal data is a cat-and-mouse game the good guys won’t always win. The problem with stolen personal data is that it allows a bad actor to claim they are someone else. The solution is to authenticate people, not passwords or personal data.

      How do we authenticate people? With strong multi-factor authentication that includes a biometric. FIDO (Fast Identify On Line) is the emerging industry standard that does exactly this. To authenticate, it requires something you have (your smartphone), and something you are such as FaceID or TouchID. For step up authentication, you can add more factors. These systems use public/private key cryptography and security hardware to ensure private keys never leave your phone. You and your phone must be present to authenticate. [Re-onboarding if you lose your phone is another piece of the puzzle.]

      The technology exists to make it much more difficult for a bad actor to impersonate someone else, yet easier to use than managing and entering passwords. Adopting these technologies will take time and resources, but the savings in fraud prevention will more than pay for it.

      1. JamminJ

        “The solution is to authenticate people, not passwords or personal data.”
        Bingo.

  21. Johnny come Doey

    I’m still stuck on the fact T-Mobile had sensitive data on customers from the mid-1990s still parked on their servers. This is all setup so the surveillance state gifts some of its prosecutorial immunity to corporations violating basic human rights to privacy.

    Or think of it another way: once we get a supply chain attack big enough it’ll result in the government demanding new powers to “keep Americans safe.” Then they’ll throw in something about terrorism, money laundering, and child trafficking for good measure. Binns got tortured by Erdogan’s thugs because the CIA lied? Ransomware was developed by the CIA you say? The ‘crappy’ hackers who got paid crypto by Colonial Pipeline parked the private keys to their loot on a US server without mixing it you say?

    Meanwhile, whatever is behind FINCEN/Secret Service/Treasury/IRS wants to run DeFi into the ground with onerous “regulation” (read: surveillance) that is designed to do absolutely nothing about the national deficit, inflation, or projected budget shortfalls from the very same infrastructure bill they snuck it into at the last minute.

    But yeah sure let’s all worry about the hackers who got your SS number, IMSI/IMEI, and home address from a company that will face no penalties whatsoever because they’re the government’s mall cops employed to do proxy surveillance for the state, just like the banking establishment. Except it’s not enough to know where you are/what you like/what you own from transaction history (which they’ve been data mining since ATMS), they also want your physical movements and behavioral data from connected devices for you and everyone you know/travel with.

    Now bearing all this in mind, recall how the Fireeye/Solarwinds supply chain exploits got birds eye access to classified systems at a bunch of agencies including Treasury/IRS. You think for one second a government that still keeps 9/11 families from seeing documents proving Saudi financing of the hijackers is ever going to be forthcoming about how bad those breaches actually were for national security, American safety, and privacy?

    1. JamminJ

      Brian, please clarify. It isn’t clear what you meant.
      Does “going back to the mid-1990s” refer to the oldest data set for those who opened t-mobile accounts back then and still have an active account?
      If so, I am not surprised. I would expect user details going back to the start of my account. Hell, a lot of places give rewards for customer loyalty.

  22. Been Through This Crap Too Many Times

    I’m Sprint and received an alert from TMo that my account was compromised.

  23. Fed up with these hackers

    Frankly, it was never intended for social security numbers to be used as a means of identication for bill collecting – that type of situation, yet did evolve that way but was a mistake.

    Sadly, it is how it’s done now, and if one gets their social security number compromised, that can be a terrible situation because the government will gladly lock you out of your own SS account if someone else creates an account using your SS# before you do.

    This happened to my child and became a nightmare to get straightened out. The person even had auto loans under my childs social security number. Schools say they require the child’s social security, yet the government website disagrees with that.

    My SS# was compromised, and someone filed my income tax, and now I have to have a code to file my own income tax. This was all due to some data breach.

    The U.S. government issues U.S. citizens and eligible U.S. residents who apply for a SS number to have one, and the government uses this number to keep track of our lifetime earnings and the number of years worked. But now all types of establishments require ones SS#, and then they don’t protect our information. Now, with so many people working from home, our personal information is now on computers from home using home ISPs.

    I hate having an issue now that requires me to call out for assistance, because doing so puts my account onto someone’s home computer, or home network, leaving me more vulnerable, more exposed.

    We don’t know WTF that at home worker is doing to protect us, no matter what anybody says. Not to mention this side note of how at home workers are using more bandwidth, forcing others to use less/cut back, just so at home workers can use more home bandwidth for work, while we still pay the same but get throttled back while paying for unlimited.

    Everything is just an effing mess. It’s taken me 7.5 years to fix all the mess caused to us, and I’m now a ball of fire trying to protect us.

  24. Walter

    Million of dollars they get from costumer’s T-Mobile need to be responsible for breaching and hacking not telling people that you need Change password and pin If once happened they still do take advantage security secure all date spending money on 5G where is system that protect data I will feel 100% protect if T-Mobile step up People panic so much you must take serious about breaching T mobile. The Wores if hacker play again with T-Mobile lost next round Most people use credit card pay bill T mobile should create new system US government should step up with new law and policy make clearly SSN credit card storage by companies no more Credits card’s and SSN never should be into system Everything connect over internet online this day hackers hungry for money will tell companies if you pay to as will do noting This happened to gas pipe line private company money is about noting else they care If people sue T-Mobile for breaching they will learn lesson they never will keep the same bye

Comments are closed.