Last year we wrote about T-Mobile getting massively hacked, which essentially led to their entire customer database being leaked. This was a problem because among the information leaked were cell numbers and their associated, unique IMEI numbers which in theory could result in phones getting duped and/or services for accounts being switched to a different phone if the hackers had access to some of T-Mobile’s core systems. And now we’ve come to discover they did in fact have that privileged access, though we do not know to what extent it was used to exploit the information they most assuredly had. T-Mobile has since confirmed that hackers did have access to very sensitive data, including source code and privileged accounts, which the hackers themselves have boasted about stealing. As revealed in private chat logs acquired by security researchers, the hackers also admitted to not being able to access law enforcement and DoD T-Mobile accounts to attempt sim swaps, but it’s not clear if they were successful with non-government accounts.
What this means for you
Many people use texts sent to their smartphones as a second-factor authentication method. If a hacker were able to SIM-swap or dupe a phone used as such, and they had other elements of that person’s digital life, such as logins and passwords to online banking that are protected by SMS-based second-factor, then those accounts are no longer secure, and most likely exploited. The most important element of a second factor is the fact that it is something that is in your sole possession, and this hacking group’s access to secure T-Mobile account management systems completely undermined that security method for T-Mobile devices.
As is to be expected, T-Mobile has been tight-lipped about whether or not it has been able to keep hackers out of their core account management systems. Supposedly they are safeguards in place that prevent the tools from being run from unauthorized computers and networks, but according to the same chat logs mentioned above, it was clear this particular threat group already had this particular problem solved. Even when compromised credentials were shut down, this group continued to secure new, usable credentials either by buying them through the dark web or tricking actual employees into giving up their credentials. By their own alleged admission, the leader of this threat group shut down their backdoor access so as to not draw too much attention to their efforts before he was able to achieve his personal objective of stealing T-Mobile’s source code. This did cause some infighting within the threat group as there was a faction that wanted to keep trying to gain access to government accounts, and others that wanted to target high net-worth accounts for SIM-swapping and account takeovers.
Fortunately for us, and possibly for T-Mobile, seven teenage members of the threat group behind the T-Mobile hack have been arrested. Ironically, they were identified probably by getting doxxed from within their own hacking community which appears to be rife with infighting and drama, just like any other large, online community. Does this mean you can trust T-Mobile’s security? I moved my family’s service off T-Mobile despite being a fan of their customers service for years. Is the carrier I moved to any more secure than T-Mobile? Only time will tell, but they, like all the others, are run by humans, and as we all know, humans make mistakes. Is it time to add another line to the list of life’s certainties? Death, Taxes and Hacking? Somedays it certainly feels like it.
