Most Americans have stopped keeping count but this will be the fifth or sixth data breach for T-Mobile, the second largest mobile service network in the United States. In case you’ve forgotten or gotten it confused with the 12 other breaches you may have been a part of recently, the previous T-Mobile breach included PII such as addresses and phone numbers as well as your billing data, but not credit cards or Social Security numbers. This time around, according to the hackers who are attempting to sell the database via the dark web, they have names, addresses, Social Security numbers, drivers licenses, and IMEI numbers of over 100M T-Mobile customers. T-Mobile and independent investigators are attempting to determine if this is true, but according to Motherboard, who first broke the story, the sample data they were provided as proof appeared to be legitimate.
What this means for you
You don’t need to be a security expert to understand how bad this is, but in case you want my hot take, if I had to rate this on a scale from one to ten of “bad”, this pins the needle at a solid ten, if only for the fact that having IMEI numbers exposed opens the possibility for wide-scale phone cloning which could then result in completely undermining any security provided via SMS-based two-factor authentication. In case parsing that last sentence was tough, the reason you implemented two-factor was because the second factor was you getting a text message to your phone that no one else could see…unless your phone was cloned.
As of this writing T-Mobile hasn’t verified that all 100M or so customer records were breached, but from various proofs provided by the hackers, as well as the fact that they are selling a subset of 30M records for $275k, seems to indicate that they indeed have the goods and you can bet this data is as good as sold, even at such a high price. For comparison’s sake, the previous breaches T-Mobile admitted to were 1M and 2M records 2 of the previous incidents.
This news is still developing, but keep your eyes and ears wide open, especially if you are a T-Mobile customer. If you see sudden two-factor prompts that you did not request, be prepared to act quickly to secure the account. If possible and it’s offered by a two-factor protected service, switching to an app-based two-factor method to secure account will remove this particular danger of a cloned phone, but only if you get it done before the hackers get you in their crosshairs. Keep in mind that the hacker will need to know your password (the first factor in a two-factor scenario) in order to trigger the second factor, so as long as that password wasn’t revealed in a previous breach, you will probably be fine. You used a unique, strong password for every service, right?