T-Mobile is having a rough year. Back in May, security researchers discovered an open API that could allow attackers to siphon off sensitive customer information. Now, just a few weeks ago, T-Mobile disclosed that that on August 20th their security team found unauthorized users retrieving data from T-Mobile servers. At this time, they believe over 2 million accounts were compromised. MetroPCS, a subsidiary of T-Mobile, was affected as well. Since this is a developing story it’s possible that the full extent of this breach hasn’t been discovered.
At first T-Mobile made it clear that no financial data (including credit card numbers), social security numbers, or passwords were compromised. Only names, addresses, emails, and phone numbers were captured. However, T-Mobile later said the “encrypted passwords” were stolen. When asked why they didn’t explain this earlier a spokesman for T-Mobile said it was because the clear text passwords were not compromised. Researchers who have investigated the encrypted passwords have said they are simple MD5 hashes that can be easily broken. Also, if you were the victim of a previous breach your phone number can be used to aggregate your information between this breach and the previous one.
No information on how the breach was made or discovered was released. A Reddit user, who has been verified as a T-Mobile employee by Reddit, said, “Any account that still had not added a pin was affected.”
Users on the same post were also saying they had previously set up a pin. Perhaps only users who have not set up a pin (or if the hackers were able to get the users pin/SSN) were affected. If true, we can glean a little more into what happened during the breach and how the servers were compromised.
This breach is probably going to cause an increase in unauthorized phone porting, where a user’s phone number gets transferred to another phone without authorization. If you have a T-Mobile account I recommend changing your password. T-Mobile does offer SMS 2-factor authentication. While SMS 2FA is not the best, until a token-based 2FA is set up I recommend using this SMS method to further secure your account.
For more information on this breach, see T-Mobile’s page for affected customers here.