Not all data breaches are created equal. None of them are good, but they do come in varying degrees of bad. And given how regularly they happen, it’s understandable that you may have become inured to the news. Still, a T-Mobile breach that hackers claim involved the data of 100 million people deserves your attention, especially if you’re a customer of the “un-carrier.”
As first reported by Motherboard on Sunday, someone on the dark web claims to have obtained the data of 100 million from T-Mobile’s servers and is selling a portion of it on an underground forum for 6 bitcoin, about $280,000. The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver’s license information, and IMEI numbers, unique identifiers tied to each mobile device. Motherboard confirmed that samples of the data “contained accurate information on T-Mobile customers.”
A lot of that information is already widely available, even the social security numbers, which can be found on any number of public records sites. There’s also the reality that, by this point, most people’s data has been leaked at some point. But the apparent T-Mobile breach offers potential buyers a blend of data that could be used to great effect, and not in ways you might automatically assume.
“This is ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable,” says Crane Hassold, director of threat intelligence at email security company Abnormal Security. “That’s the first thing that I thought of, looking at this.”
Yes, names and phone numbers are relatively easy to find. But a database that ties those two together, along with identifying someone’s carrier and fixed address, makes it much easier to convince someone to click on a link that advertises, say, a special offer or upgrade for T-Mobile customers. And to do so en masse.
The same is true for identity theft. Again, a lot of the T-Mobile data is out there already in various forms across various breaches. But having it centralized streamlines the process for criminals—or for someone with a grudge, or a specific high-value victim in mind, says Abigail Showman, team lead at risk intelligence firm Flashpoint.
And while names and addresses may be fairly common grist at this point, International Mobile Equipment Identity numbers are not. Because each IMEI number is tied to a specific customer’s phone, knowing it could help in a so-called SIM-swap attack. “This could lead to account takeover concerns,” Showman says, “since threat actors could gain access to two-factor authentication or one-time passwords tied to other accounts—such as email, banking, or any other account employing advanced authentication security feature—using a victim’s phone number.”
That’s not a hypothetical concern; SIM-swap attacks have run rampant over the past several years, and a previous breach, which T-Mobile disclosed in February, was used specifically to execute them.
T-Mobile confirmed on Monday that a breach had occurred but not whether customer data had been compromised. “We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed,” the company said in an emailed statement. “We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.”