A data thief claims to have stolen the information of 100 million customers from T-Mobile customers, and the company acknowledged it is investigating a possible data breach.
“We are aware of claims made in an underground forum and have been actively investigating their validity,” the company told Vice Motherboard. “We do not have any additional information to share at this time.”
The thief posted a For Sale sign on an online cybercriminal forum, asking 6 bitcoin (about $284,000 in U.S. dollars) for part of the purported T-Mobile data that supposedly includes 30 million Social Security numbers and driver’s-license numbers.
The seller told Vice Motherboard that the data on the other 70 million people is being sold privately. It all supposedly includes names, phone numbers, physical addresses and IMEIs (handset IDs).
Bleeping Computer, which also saw the forum post and communicated with the seller, said the data also includes phone IMSIs (SIM card IDs), customer dates of birth and T-Mobile account PINs.
Vice Motherboard said it had confirmed that a sample of the data it saw was real. We don’t know that for certain yet, but the types of customer data stolen overlap nicely with what T-Mobile admitted was swiped from its servers during an incident in March 2021, although T-Mobile said that breach involved only about 400 customers, not 100 million.
If you’re a T-Mobile customer, it would be best to change your account PIN and password immediately. You might also want to consider subscribing to a identity-theft-protection service, as the apparent theft of Social Security numbers and dates of birth is putting a lot of people at serious risk. Just bear in mind that these services can get expensive.
Bleeping Computer noted that the post didn’t mention that the data had come from T-Mobile, although the seller told both Bleeping Computer and Vice Motherboard that it had.
This is far from the first time that T-Mobile has responded to reports of a data breach. By our count, the company was hacked three different times in the past 18 months — March 2021, December 2020 and March 2020. The company was also hacked in August 2018.
If you’re serious about protecting your personal information, you may want to consider another wireless carrier with a better track record.