Hackers have stolen details of two million T-Mobile US customers

No social security numbers, payment card data, or passwords included in the haul.

Graham Cluley
Graham Cluley
@[email protected]

Hackers have stolen details of two million T-Mobile customers

Earlier this week, hackers managed to gain access to data held on T-Mobile’s servers through a vulnerable API, making off with personal data of some US customers which could potentially be exploited by scammers.

In a customer advisory published late yesterday by T-Mobile, the company reassured customers that passwords, financial information, and social security numbers had not been exposed:

On August 20, our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).

Of course, the lack of stolen passwords, credit card details, and social security numbers does not mean that you might not be targeted by online criminals.

As we’ve seen before (remember the TalkTalk breach in the UK?) fraudsters are more than willing to phone up customers of a telecoms provider, present themselves as the company (perhaps quoting the customer’s account and account details to appear more genuine), and then trick unsuspecting consumers into handing over further sensitive information that could facilitate identity theft.

Sign up to our free newsletter.
Security news, advice, and tips.

If you are a T-Mobile user, you would also be wise to think twice before acting upon any emails you receive purporting to come from the company. After all, it could be someone pretending to be contacting you from the firm.

In its advisory, T-Mobile doesn’t say how many customers have been impacted by the latest breach. However, a spokesperson told Lorenzo Franceschi-Bicchierai of Motherboard that the breach affected “about” or “slightly less than” three percent of its 77 million customers.

3% of 77 milion is 2.31 million T-Mobile customers. So “about” or “slightly” less than that.

T-Mobile has apologised for the incident, and wants customers to know that it takes security very seriously:

We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access. We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.