Hacker Claims To Steal Data Of 100 Million T-Mobile Customers
T-Mobile is actively investigating a data breach after a threat actor claims to have hacked T-Mobile’s servers and stolen databases containing the personal data of approximately 100 million customers. Hacker Claims To Steal Data Of 100 Million T-Mobile Customers
The alleged data breach first surfaced on a hacking forum yesterday after the threat actor claimed to be selling a database for six bitcoin (~$280K) containing birth dates, driver’s license numbers, and social security numbers for 30 million people.
While the forum post does not state the origins of the data, the threat actor told BleepingComputer that they took it from T-Mobile in a massive server breach.
The threat actor claims to have hacked into T-Mobile’s production, staging, and development servers two weeks ago, including an Oracle database server containing customer data.
This stolen data allegedly contains the data for approximately 100 million T-Mobile customers and can include customers’ IMSI, IMEI, phone numbers, customer names, security PINs, Social Security numbers, driver’s license numbers, and date of birth.
“Their entire IMEI history database going back to 2004 was stolen,” the hacker told BleepingComputer.
An IMEI (International Mobile Equipment Identity) is a unique number used to identify mobile phones, while an IMSI (International mobile subscriber identity) is a unique number associated with a user on a cellular network.
As proof that they breached T-Mobile’s servers, the threat actors shared a screenshot of an SSH connection to a production server running Oracle.
Sensitive Info Redacted By BleepingComputer
Cybersecurity intelligence firm Cyble also told BleepingComputer yesterday that the threat actor claims to have stolen multiple databases totaling approximately 106GB of data, including T-Mobile’s customer relationship management (CRM) database.
Motherboard, who first reported on this breach, said they could verify that data samples provided by the threat actor belonged to T-Mobile customers.
When asked if they attempted to ransom the stolen data to T-Mobile, the threat actors said they never contacted the company and decided to sell it on forums where they already have interested buyers.
When we contacted T-Mobile about the sale of this data they stated they are actively investigating it.
“We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time,” T-Mobile told BleepingComputer.
T-Mobile Hacked For Revenge
“This breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019,” the threat actors told Gal in a conversation.
“We did it to harm US infrastructure.”
Binns is a resident of Turkey who sued the FBI, CIA, and Department of Justice in 2020.
The complaint alleges that Binn was tortured and harassed by the US and Turkish governments and is seeking to compel the USA to release documents regarding these activities under the Freedom of Information Act.
T-Mobile Says 6 Million More Customer Files Accessed In Data Breach (Including IMEI And IMSI Data—Serial Numbers)
Hack also exposed serial numbers tied to cellphones, company says.
T-Mobile US Inc. said the hack of its user database exposed an additional six million customers’ details, bringing the total number of compromised user records to more than 54 million as the carrier continues to investigate the extent of the intrusion.
In an update Friday, the company said 5.3 million more current T-Mobile accounts had their names, addresses, birth dates and phone numbers exposed, though their Social Security numbers or driver’s license details weren’t included. The company also identified a further 667,000 former clients who had some personal information compromised.
T-Mobile also said the hack accessed IMEI and IMSI data—serial numbers tied to phones—from current customers. These phone records were taken from the 5.3 million accounts as well as 7.8 million customers that T-Mobile had identified as victims earlier this week. The Bellevue, Wash., company didn’t disclose the number of people tied to those accounts. The average account covers more than one phone line.
Security researchers said the phone-specific serial numbers, when paired with other personal information, could prove particularly damaging in the hands of criminals who use the data to commit fraud. Attackers with information about a person’s subscriber identity module, or SIM, can use the information to impersonate a victim and take over his or her phone line.
“Our investigation is ongoing and will continue for some time, but at this point, we are confident that we have closed off the access and egress points the bad actor used in the attack,” the company said.
T-Mobile opened an online portal with information for potential victims and said it would offer two years of free identity-protection services from security firm McAfee.
On Monday, T-Mobile said it had learned that an individual in an online forum claimed to have breached its systems and was attempting to sell stolen customer data. The company said early Wednesday that attackers made off with personal data from more than 40 million people, including former and prospective customers.
Separately, AT&T Inc. denied a claim by a hacker group offering to sell records on more than 70 million of its customers on the same website where some T-Mobile data was previously offered for sale.
“Based on our investigation today, information that appeared in an internet chat room does not appear to have come from our systems,” AT&T said.
T-Mobile Hacker Who Stole Data On 50 Million Customers: ‘Their Security Is Awful’
A 21-year-old American said he used an unprotected router to access millions of customer records in the mobile carrier’s latest breach.
The hacker who is taking responsibility for breaking into T-Mobile US Inc.’s systems said the wireless company’s lax security eased his path into a cache of records with personal details on more than 50 million people and counting.
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.
The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.
The breach is the third major customer data leak that T-Mobile has disclosed in the past two years. The Bellevue, Wash., company is the second-largest U.S. mobile carrier with roughly 90 million cellphones connecting to its networks.
The Seattle office of the Federal Bureau of Investigation is investigating the T-Mobile hack, according to a person familiar with the matter. “The FBI is aware of the incident and does not have any additional information at this time,” the Seattle office said in a statement Wednesday.
In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile’s defenses after discovering in July an unprotected router exposed on the internet. He said he had been scanning T-Mobile’s known internet addresses for weak spots using a simple tool available to the public.
The young hacker said he did it to gain attention. “Generating noise was one goal,” he wrote. He declined to say whether he had sold any of the stolen data or whether he was paid to breach T-Mobile.
Several cybersecurity experts said the public details of the hack and reports of previous T-Mobile breaches show the carrier’s defenses need improvement. Many of the records reported stolen were from prospective clients or former customers long gone. “That to me does not sound like good data management practices,” said Glenn Gerstell, a former general counsel for the National Security Agency.
Mr. Binns said he used that entry point to hack into the cellphone carrier’s data center outside East Wenatchee, Wash., where stored credentials allowed him to access more than 100 servers.
“I was panicking because I had access to something big,” he wrote. “Their security is awful.”
He said it took about a week to burrow into the servers that contained personal data about the carrier’s tens of millions of former and current customers, adding that the hack lifted troves of data around Aug. 4.
On Aug. 13, the security research firm Unit221B LLC reported to T-Mobile that an account was attempting to sell T-Mobile customer data, according to the security firm. Two days later, T-Mobile publicly acknowledged it was investigating a potential breach.
T-Mobile confirmed that more than 50 million customer records have been stolen. The wireless carrier said it had repaired the security hole that enabled the breach. “We are confident that we have closed off the access and egress points the bad actor used in the attack,” it said in a statement. A T-Mobile spokeswoman declined to comment on specific claims by Mr. Binns or by cybersecurity experts.
For Mr. Binns, who uses the online names IRDev and v0rtex, among others, the T-Mobile hack represents a major development in a track record that has featured various exploits and—four years ago—peripheral involvement in the creation of a massive network of hacked devices that was used for online attacks.
Mr. Binns showed the Journal that he could access accounts linked to the IRDev online personality, which shared screenshots depicting access into T-Mobile’s network. He declined to be photographed but answered personal questions to confirm his identity as John Binns.
In a statement, Unit221B said it believed the individual behind the IRDev alias was responsible for the T-Mobile hack because someone using this handle was reaching out to online criminals trying to sell the T-Mobile data before the hack had been made public.
It’s unclear whether Mr. Binns worked alone. At one point in his communications with the Journal, he described a collaborative effort to find the login credentials needed to crack T-Mobile’s internal databases. Another online personality also offered in online forums to sell some of the stolen T-Mobile data.
Mr. Binns said he grew up in northern Virginia with his Turkish mother. His father died in 2002 when Mr. Binns was two years old, according to a newspaper article and a published obituary.
He attended McLean High School in 2015 and 2016, according to the school’s yearbooks. He was estranged from his father’s family and moved with his mother to Izmir, Turkey, shortly after his 18th birthday, according to a person familiar with the matter.
He contacted a U.S. relative last year, claiming by telephone that he was a computer expert who had been kidnapped and taken to a hospital against his will, this person said. “He gushed about how he could do anything with a computer,” this person said.
In Telegram messages with the Journal, Mr. Binns repeated similar claims. He said he wanted to draw attention to his perceived persecution by U.S. government authorities. He described an alleged incident in which he claims he was abducted in Germany and put into a fake mental hospital.
“I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he wrote, explaining his reason for publicly discussing the hack.
Mr. Binns’s mother didn’t respond to phone calls and messages seeking comment. After the Journal reached out to her for comment, she took down her public Facebook page.
In 2020, Mr. Binns sued the Central Intelligence Agency, Federal Bureau of Investigation and other federal agencies to compel them to fulfill a federal records request he made for information about FBI investigations of botnet attacks. He didn’t use an attorney to file the complaint in the case, which is still active in the U.S. District Court for the District of Columbia. The agencies have denied his allegations in past court filings.
Security researchers said several online profiles tied to Mr. Binns were associated with groups of young gamers who have infected swarms of devices around the world. These botnets, as the infected device clusters are called, are often used by other gamers to knock people and websites offline.
Mike Benjamin, vice president of security for network operator Lumen Technologies Inc., said U.S. prosecutions in past years have limited the threat from these botnets, though network attacks have started growing in recent months. He said many young people, especially in the U.S. and Europe, first learn basic hacking techniques by sharing tricks and tactics with fellow gamers online.
“Online videogaming drives a natural competitiveness,” Mr. Benjamin said. ”Everybody’s looking for that edge. That can reach into this area of outside of the videogame,” where tactics end up “breaking the internet instead of just inside the rules of the game.”
Mr. Binns told the Journal he first learned to find zero-days—previously undisclosed software flaws—by figuring out cheats for videogames such as “Minecraft,” “Arma” and “DayZ.” He said he found the zero-day that other hackers used to create Satori, a botnet-building virus that infects unprotected home routers, but denied writing any of the Satori code.
“There are people who are way more skilled than I am,” he wrote.
The August hack of T-Mobile stole an array of personal details from more than 54 million customers, according to the company’s latest tally. Some customers had their names, Social Security numbers and birth dates exposed. Another batch of data included IMEI and IMSI numbers tied to users’ phones, which other attackers could use as a starting point to take control of victims’ phone lines.
T-Mobile last week started notifying affected customers. The company offered two years of identity-protection services and reminded customers to regularly update passwords and PIN codes as a standard precaution.
The carrier has suffered other data breaches before. The company notified customers of two separate breaches in 2020 that affected smaller sets of records. The company this year hired McDonald’s Corp. executive Timothy Youngblood to oversee its cybersecurity measures. He succeeded longtime information security chief Bill Boni, who retired in June.
The Federal Communications Commission said it has launched a probe into the latest failure.
Past data-breach penalties have reached into the hundreds of millions of dollars. Equifax Inc. in 2019 reached a settlement with U.S. officials to resolve several investigations and lawsuits for $700 million. The credit-data provider generated $3.5 billion of revenue that year. T-Mobile had $68.4 billion of revenue in 2020.
A 2020 merger with Sprint Corp. made T-Mobile the U.S.’s second-largest mobile service provider, trailing only Verizon Communications Inc. T-Mobile executives have said they intend to keep growing by luring subscribers away from the competition.
“The upside for them from here is moving upmarket,” said New Street Research analyst Jonathan Chaplin. “For the high-end customers that might’ve thought about moving over, this might be a signal that ‘Hey, T-Mobile isn’t Verizon yet.’ This is totally unquantifiable, but to the extent that there’s brand damage, that’s where it will be felt.”
T-Mobile Says Hacker Used Specialized Tools, Brute Force
T-Mobile US Inc. said a cyberattack earlier this month that exposed millions of customer records was carried out using specialized tools to gain entry to the network, followed by brute force-style hacking techniques to access user data.
“In short, this individual’s intent was to break in and steal data, and they succeeded,” Chief Executive Officer Mike Sievert said Friday in a statement, the company’s fullest account yet of what happened. The company has hired cybersecurity provider Mandiant Corp. and consulting firm KPMG LLC to improve its defenses, he said.
The breach, the fourth that has compromised T-Mobile customer records in as many years, involved personal information including names, dates of birth, Social Security numbers and driver’s license information. Sievert said the company is working with law enforcement and can’t share further details of what happened.
The theft involved the records of more than 13 million current customers, along with more than 40 million prospective customers who had applied for credit with the company, and 667,000 former customers, according to a company statement last week. An additional 902,000 prepaid customers also had some data exposed.
“The sheer number of massive data breaches is a clear sign that something’s not right in the land of magenta,” said Tammy Parker, an analyst with GlobalData, referring to the T-Mobile brand’s signature color.
The U.S. Federal Communications Commission said last week it is investigating the breach. T-Mobile is also the subject of at least two class-action lawsuits accusing the company, the second-largest U.S. wireless carrier, of failing to protect customer data.
T-Mobile was hacked twice last year, and in 2018, about 2.5 million customers had their data exposed in a network breach. That attack became part of a federal class-action lawsuit.
A person on social media claiming to be a 21-year-old American living in Turkey has taken credit for the hack, according to the Wall Street Journal.
John Binns claims to have cracked T-Mobile’s network over the course of a week and then tried to sell the data to willing buyers on the social media channel Telegram, according to the Journal.
T-Mobile could face fines if it is found responsible for security lapses.
In 2017, Equifax had a massive breach that affected 163 million people. It was later fined $700 million by the Federal Trade Commission. Using that math, Jonathan Chaplin, an analyst at New Street Research, estimates that T-Mobile might be on the hook for $215 million in fines if the FTC takes action, he wrote in a note last week.
AT&T Inc. paid a $25 million fine after it was discovered that call-center employees had sold the personal data, including the Social Security numbers, of 280,000 customers. And Yahoo!, formerly owned by Verizon Communications Inc., had a hack that exposed the information on as many as 3 billion of its customers.
“T-Mobile has an extremely loyal customer base, and that will be a benefit through this crisis,” Parker said. “But T-Mobile needs to reassure its customers, potential customers, regulators and lawmakers that it is not only taking cybersecurity seriously but that it is rapidly fixing the problems to prevent this from happening again.”
T-Mobile CEO Apologizes For Data-Security Breach
Carrier says it failed to protect customer data and has hired security experts to beef up defenses.
The chief executive of T-Mobile US Inc. apologized to customers for a security breach that has exposed personal data from more than 50 million people and said the wireless company was working to strengthen its cyber defenses.
The Bellevue, Wash., company on Friday said it struck long-term partnerships with cybersecurity firm Mandiant and consulting firm KPMG LLG after the hack of its systems that exposed millions of Social Security numbers, birth dates and other data.
“We didn’t live up to the expectations we have for ourselves to protect our customers,” CEO Mike Sievert wrote in a public letter. “Knowing that we failed to prevent this exposure is one of the hardest parts of this event.”
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. He said the company’s lax security eased his path into a cache of T-Mobile records. “Their security is awful,” Mr. Binns told the Journal.
It wasn’t immediately clear whether Mr. Binns worked alone or with help. T-Mobile said Friday the attacker first pierced the company’s testing environments before gaining access to other systems through brute-force attacks and other methods.
The breach is the third major customer-data leak that T-Mobile has disclosed in the past two years. The company is the second-largest U.S. mobile carrier with roughly 90 million cellphones connecting to its networks.
The Seattle office of the Federal Bureau of Investigation is investigating the incident, the Journal reported. Mr. Sievert said T-Mobile is cooperating with law enforcement on a criminal investigation.
Mr. Sievert, who joined T-Mobile in 2013, took over as the company’s CEO in 2020 from longtime boss John Legere. The handoff happened just as the carrier was closing the takeover of its rival, Sprint Corp., forming a bigger nationwide carrier to compete with peers AT&T Inc. and Verizon Communications Inc.
“We know we need additional expertise to take our cybersecurity efforts to the next level—and we’ve brought in the help,” Mr. Sievert wrote in Friday’s letter.
He said T-Mobile hired Mandiant to conduct a forensic investigation since it learned about the incident. KPMG’s cybersecurity team will review T-Mobile’s security policies and performance measurement, Mr. Sievert said.
“To say we are disappointed and frustrated that this happened is an understatement,” Mr. Sievert said. He added that the company is confident that it has closed the security hole the hacker accessed and that there isn’t an ongoing risk to customer data from the hack.
The company has notified nearly all current T-Mobile customers or primary account holders who had their data compromised, Mr. Sievert said. Among other measures, the company is offering two years of free identity-protection services with McAfee’s ID theft protection to those who might have been affected by the breach, he said.