T-Mobile confirms hack after customer data ends up for sale on cybercrime forum
Image: Mika Baumeister
Catalin Cimpanu August 16, 2021

T-Mobile confirms hack after customer data ends up for sale on cybercrime forum

T-Mobile confirms hack after customer data ends up for sale on cybercrime forum

US telecommunications giant T-Mobile has confirmed today that hackers breached some of its internal servers but said that it is still investigating if “any personal customer data” was stolen in the breach.

The company’s conflicting statement comes after a threat actor put up for sale the personal details of millions of T-Mobile customers on a cybercrime forum on Saturday, August 14.

While the hacker’s ad referenced 30 million T-Mobile customers, in a subsequent interview with news site Motherboard, the individual claimed the data was part of a larger package containing details for 100 million T-Mobile customers.

T-Mobile-hack-forum-post
Image: The Record

Following the breach, on Sunday, the hacker also posted a statement of its own online, claiming that the breach occurred by gaining access to a T-Mobile GPRS gateway that was allegedly misconfigured.

T-Mobile’s statement today, embedded in full at the bottom of this article, confirms a breach but does not go into details.

The company said it is still in the process of analyzing what data “illegally accessed.”

The incident marks the sixth security breach T-Mobile has disclosed since 2018; however, if the hacker’s claims are confirmed, this would be one of the largest US telco breaches to date.


We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.

We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.