T-Mobile breach exposes data for more than 40 million people

T-Mobile said hackers managed to steal the account details of more than 40 million people in a recent data breach.

The lifted data includes the first and last names of current, former and prospective customers, as well as other personally identifiable information such as dates of birth, Social Security information, and driver's license and ID numbers. The telecom giant confirmed on Tuesday reports from earlier this week that it had suffered a network breach and lost data on tens of millions of customers.

Motherboard first reported the T-Mobile breach  earlier this week, with the company later confirming the reports. The hacker claimed to have data on 100 million customers, including physical addresses and IMEI numbers, though T-Mobile's statement doesn't mention either data type.

It is not yet clear if T-Mobile was aware of the incident before Motherboard inquired. The hack impacts not only current and former customers, but people who had applied for an account with the carrier and were subject to credit check, meaning the company kept their personal information.

"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts' information appears to be contained in the stolen files, "T-Mobile said, "as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile."

T-Mobile said the stolen data did not include phone numbers, account numbers, PINs, passwords or any financial information. The company is advising postpaid customers to change their PIN number as a precautionary measure. The carrier is also offering those who info was exposed two years of identity monitoring service.

In addition, T-Mobile said approximately 850,000 current T-Mobile prepaid customer names, phone numbers and account PINs were stolen. The company proactively reset all PINs on those accounts.

It's unclear when T-Mobile first learned of the breach. The Motherboard report, which cited the hacker who performed the attack, first gave word of the attack, though the hacker told Motherboard that their backdoor access to breached servers had been lost. While details of the timeline are still being worked out, what is clear is that the hacker was able to spend some time inside the company's network before being discovered.

"While we don't yet know the details of how exactly the T-Mobile data was breached, this is yet another reminder that taking proper precautions for data at rest and a sound security monitoring strategy is paramount," said Mark Orlando, CEO of infosec consultancy Bionic, in a statement to SearchSecurity.

While the hack is bad enough for individuals, experts tell SearchSecurity that the incident may also pose a threat to enterprises thanks to the close links so many workers have with their phones.

"With phone numbers, account PINs, and IMEI data exposed for many customers, this breach can be a potential starting point for vendor and supply chain phishing fraud," explained Brian Johnson, CSO with email security vendor Armorblox.

"Since phones are a preferred second method of authentication, cybercriminals can use this data to attempt MFA bypass and take over the target's email accounts."

Meanwhile, the hacker behind the attack seeking a $280,000 payout on the dark web for the lifted data, according to Motherboard, and experts believe someone will be more than willing to meet that price.

"The reality is that the dark web is the third largest economy in the modern world, and with breaches of this scale often providing a six figure payday, cybercriminals will continue to seize these opportunities," said Rick McElroy, principal security strategist with VMware.