T-Mobile is investigating a post made on an underground forum that claims 100 million user accounts have been compromised in a data breach.
The hacker, who spoke with VICE's Motherboard in an online chat, said the data came from T-Mobile USA and involves "full customer info."
The data includes Social Security numbers, phone numbers, names, physical addresses, unique IMEI (mobile device identifier) numbers, and driver license information.
The hacker is now looking to sell a subset of the data, approximately 30 million users' info, on the Dark Web for 6 Bitcoins (roughly $278,00). They are also selling the rest of the data privately.
In response to the data breach, a T-Mobile spokesperson said:
"We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time."
The hacker behind the T-Mobile data breach claims to be part of an international group that had access to the company's servers for weeks.
How did they gain access? According to the culprit, T-Mobile left a Gateway GPRS Support Node, or GGSN, exposed to the internet. GGSNs are critical components that connect mobile devices to the internet.
Then, they "pivoted" through IP addresses, eventually gaining access to production servers.
The hacker accessed more than 100 servers by brute forcing and using credential stuffing on internal T-Mobile servers, and none had rate limiting enabled.
They claim to have received multiple offers for the full set of data, but won't say if it has been sold or not.
This particular hacker seems to be making a career out of stealing data, as this is not the first offense.
In July of this year, the hacker stole phone data of 833 million users and visitors of China. The info contained phone numbers plus IMEI and IMSI numbers and was posted for sale on the Dark Web for $2,000. It is unknown if the data was actually sold.
Hitesh Sheth, President and CEO at Vectra, shared his perspective on the data breach:
"T-Mobile's attackers apparently claim they ransacked company databases as reprisal for U.S. espionage activity. They do not seem to be demanding ransom. If true, it further blurs the lines in cyberwar between government and private assets. Every business has to consider what kind of prize it, too, might represent to threat actors out to score political points.
If privately owned infrastructure is going to suffer retaliation for things government does, it's not only imperative that businesses shore up their cyber defenses. It's vital that deeper, smarter public-private partnerships define cybersecurity norms, roles, and responsibilities. Like it or not, when a critical enterprise is a cyber target, it's playing a role in national defense."
Unfortunately for one of the largest mobile providers in America, this is not the first data breach the company has suffered through.
In 2018, over two million T-Mobile users had their information compromised due to an unsecured API, resulting in names, emails, phone numbers, and account numbers being compromised.
The following year, over a million customers' accounts were compromised in a breach after a hacker accessed data related to prepaid wireless accounts.
In December 2020, T-Mobile was the victim of another data breach, this time in its customer proprietary network database, which included phone numbers and call information of 200,000 customers.
This story was first reported by VICE Motherboard.