T-Mobile says hack affected more than 40 million people

T-Mobile said on Tuesday that a data breach it was informed of late last week contained more than 40 million records belonging to former or prospective customers who had applied for credit with the company, as well as information on approximately 7.8 million current postpaid customer accounts.

The stolen information included first and last names, dates of birth, Social Security numbers, and driver's license information, the company said. No phone numbers, account numbers, PINs, passwords, or financial data from these accounts appeared to be taken.

"While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information," the company said in a statement. "We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information."

An additional 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were also exposed in the breach. T-Mobile has proactively reset all PINs on these accounts and is in the process of notifying affected customers.

The Record reported earlier this week that the hacker posted a statement online claiming that the breach occurred by gaining access to a T-Mobile GPRS gateway that was allegedly misconfigured.

The person who claims to have compromised T-Mobile says the company misconfigured a gateway GPRS support node that was apparently used for testing. It was exposed to the internet. That allowed the person to eventually pivot to the LAN. Proof screenshot supplied. pic.twitter.com/tBMvRBmG0r

— Jeremy Kirk (@jkirk.bsky.social) (@Jeremy_Kirk) August 16, 2021

T-Mobile said in its recent statement that it "located and immediately closed the access point that we believe was used to illegally gain entry to our servers," but did not specify how the hacker was able to gain access to the company's systems.

In its statement, T-Mobile listed guidance to affected individuals:

• As a result of this finding, we are taking immediate steps to help protect all of the individuals who may be at risk from this cyberattack. Communications will be issued shortly to customers outlining that T-Mobile is:
  • Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.
  • Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling our Customer Care team by dialing 611 on your phone. This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised.
  • Offering an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.
  • Publishing a unique web page later on Wednesday for one stop information and solutions to help customers take steps to further protect themselves.