T-Mobile Customers Fall Victim to Another Cyberattack

5 Min Read Published: Dec 29th, 2021

Text Size

- +

Toggle Dark Mode

It looks as though at least a few T-Mobile customers are suffering through the impact of another data breach at the company, but at least it seems this latest attack is a bit smaller in scope.

Of course, that’s small consolation if you’re one of the folks who have fallen victim to this latest attack, which has just been uncovered by The T-Mo Report.

According to internal documents that the group got their hands on, several instances of “unauthorized activity” were found on some customer accounts, involving either the viewing of “customer proprietary network information (CPNI)” or “an active SIM swap by a malicious actor” — or both.

The only silver lining in this particular cloud is that only a small number of customers were affected, although the documents don’t provide too much detail on exactly what is meant by “small.” They also don’t offer any specific details on what happened — merely that some customer information was leaked.

T-Mobile is taking immediate steps to help protect all individuals who may be at risk from this cyberattack. If you have any questions, send us a DM and we can discuss steps to increase your account security. ^KenStone— T-Mobile Help (@TMobileHelp) December 28, 2021

T-Mobile has also confirmed the breach, noting that it’s taking immediate steps to protect anybody who may be at risk as a result of this most recent attack. Affected customers have apparently already been notified, and it’s somewhat reassuring that we haven’t seen any reports from specific customers who have received these notifications, suggesting that it’s not widespread.

What Was Exposed?

The T-Mo Report notes that those customers who were impacted fall into one of three categories. Those who only had their CPNI leaked may have had their billing account name, phone numbers, account numbers, and rate plan info exposed, including the number of lines on their account. No other personal information or payment information was included in this, however.

The potentially more dangerous category is those who fell prey to a SIM swap attack, which could have given hackers access to the customer’s other online accounts that are otherwise protected by two-factor authentication.

In a SIM swap attack, a malicious actor reassigned the customer’s phone number to a SIM card under their control, at which point they can receive all the text messages destined to that phone number. Since many two-factor authentication systems rely on one-time codes sent via SMS, this could allow a hacker to gain access to any online accounts protected by SMS-based two-factor authentication.

In most cases, this would require them to know the user’s existing password, since SMS is the second factor that’s used in addition to the password. However, with lists of millions of user passwords available in data breaches, and many folks using the same password (and email address) across multiple sites, this isn’t as hard as it sounds.

There are also some online services that trust SMS enough to use it as a password reset method. In this case, it becomes almost trivial to break into an account following a SIM swap attack, as the password reset instructions are sent by text message, at which point the malicious hacker can simply reset the user’s password, taking full control of the account.

The documents obtained by The T-Mo Report note that those who did suffer a SIM swap attack have already “had that action reversed.”

Although this is the second attack on T-Mobile this year, it’s considerably less serious than the major hack in August that gave a hacker access to detailed personal information on 50 million accounts, including names, social security numbers, and driver’s license information. This also exposed the data of over 40 million folks who had applied for T-Mobile credit, whether they were T-Mobile customers or not.

How to Protect Yourself

Sadly, there’s not much you can do to prevent yourself from a data breach, as most companies have to collect at least some personal data for you to do business with them. Ultimately, you’re trusting in their security and business practices to keep your personal information safe, and of course, some do a better job of this than others.

However, there are several important steps you can take to ensure that you’re less vulnerable if your personal information is exposed to hackers, and much like making financial investments, diversity is the name of the game here.

Don’t re-use passwords on multiple sites. There have been some incredibly high-profile data breaches that have exposed millions of user passwords, but those are only the ones that make the news. For every breach on Facebook, LinkedIn, or Adobe, there are hundreds of smaller sites that face these kinds of attacks daily. In many of these, hackers gain massive lists of email addresses and passwords, and of course, the first thing they do is try to use those on other sites. This means that if you’re using the same password everywhere, then one data breach effectively gives hackers full access to your entire digital life.
Use a Password Manager. Since it’s hard to remember a ton of different passwords, tools like 1Password can be very helpful. These securely encrypt your passwords in a digital “vault” with a single master password to access them. Granted, that could still provide a “one-stop shop” for hackers to get at all of your different passwords, but it’s still far better than reusing passwords. Plus, by necessity, these services have to pay a lot more attention to their security.
Use Unique Email Addresses. In much the same way that you shouldn’t reuse passwords across multiple sites, it’s a good idea to use services like Hide My Email and Masked Email to create randomized email addresses — especially for sites that you don’t use that often. You probably don’t need to worry about this for things like newsletter subscriptions, but it’s definitely important for those sites that use your email address as your user ID, since it makes it even more difficult for hackers to link your identity across multiple services.
Avoid SMS Two-Factor Authentication. As this attack shows, SMS swap hacks make it relatively easy for hackers to bypass SMS two-factor authentication, since they can use it to intercept that second factor. While you should always use two-factor authentication, it’s a good idea to avoid using SMS for this if at all possible. Instead, use a tool like Google Authenticator or even physical security keys for critical accounts.
Your Email account is typically your first line of defence. As bad as SIM swap attacks can be, if a hacker compromises your email account it’s usually game over. Most online services send password reset messages via email, so once a hacker has full access to your inbox, they can get into almost any other account simply by resetting your password. In some cases, they can even turn off two-factor authentication this way. Because of this, your email account should be your priority when it comes to security — at least as much, if not more, protection than you apply to your online banking accounts. Always use two-factor authentication with your email account, avoiding SMS as a method, and if at all possible, you may even want to consider using a physical security key.

In addition to the above, it’s obviously also a good idea to be somewhat choosy about where you share your personal information in the first place, but in today’s connected world, it’s hard to get through life online without sharing at least some information. However, if you’re diligent about security, you can pass through even the most serious data breaches relatively unscathed.