Hackers stole the personal data of millions of T-Mobile customers

Hackers stole the personal data of millions of T-Mobile customers

Update 2 (08/20/2021 @ 07:34 PM ET): More bad news for T-Mobile customers — the hack is even worse than initially reported. Click here for more information. The article, as published on August 17, 2021, is preserved below.

Previous updates

Update 1 (08/18/2021 @ 03:39 PM ET): T-Mobile has shared some of the preliminary findings of its internal investigation into the massive data breach affecting millions of customers. Click here for more information.

U.S. carrier T-Mobile has confirmed that it experienced a data breach, saying that “unauthorized access to some T-Mobile data occurred”. It comes after the carrier said that it was investigating a forum post online, claiming to be selling data of over 100 million people. The data is said to include social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver’s licenses information, and it’s also said to have come directly from T-Mobile’s servers.


Some samples of the data have been seen by Motherboard, and the publication confirmed that they contained accurate information on T-Mobile customers. The seller told Motherboard that they compromised multiple servers belonging to T-Mobile. A subset of data containing roughly 30 million social security numbers and driver’s licenses are being sold on the forum for a total of six bitcoin, whereas the remaining data is being sold privately. Six bitcoin amounts to roughly $280,000 at current rates.

“I think they already found out because we lost access to the backdoored servers,” the seller told Motherboard, referring to T-Mobile’s potential response to the breach. The seller said that it seemed that T-Mobile has since kicked them out of the hacked servers, but that they had already downloaded the data locally. “It’s backed up in multiple places,” they said.

T-Mobile has said in a statement that “we are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.” The company has also pledged to “proactively communicate” with customers and stakeholders once more is understood, but that the investigation will “take some time”. T-Mobile is also not confirming the number of records affected or the validity of any statements made by others. This is a developing story and more information will likely be released in the future.

Update 1: Preliminary findings

In a new blog post, T-Mobile has shared some of the preliminary findings of its investigation into the cyberattack against them. The company says that it was informed of the claims made in the online forum referenced by Motherboard late last week. The company says it then immediately began an investigation into the claims, located, and then closed the access point they believed was used to gain entry into their servers.

However, before they managed to close the access point, hackers had already exfiltrated data from the servers, which T-Mobile confirms contained personal information on its customers. The company says it did not see evidence that the stolen data contained any “customer financial information, credit card information, debit or other payment information.” However, the carrier says that “some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.”

Approximately 7.8 million current postpaid customer accounts and over 40 million former or prospective customers who applied for credit with the carrier were exposed in the breach. The carrier reiterates that no phone numbers, account numbers, PINs, passwords, or financial information were compromised.

For the approximately 850,000 current prepaid customers exposed in the breach, phone numbers and account PINs were also compromised, however. To protect these users’ accounts, T-Mobile has reset PINs and says it will inform affects customers soon. Customers on Metro by T-Mobile, Sprint prepaid, and Boost were not affected, according to T-Mobile.

Given the importance of this information in identification, especially the social security number, you should be checking your credit report with the major agencies to see if anyone is trying to open an account under your name. Freezing your credit is one way to ensure that nobody can open a line of credit under your name, even if they have all the personal information they need to do so.

T-Mobile itself is offering 2 years of identity protection from McAfee and is recommending all postpaid customers proactively change their PIN to be on the safe side. The carrier will publish a web page later today containing all the information on this breach that customers need to know about.

Update 2: Additional 6 million customers affected

In a new post, T-Mobile has shared additional information it uncovered during its investigation of the recent breach of its servers. The carrier reiterates that it is confident it has closed off access the egress points the hackers used in the attack, and that no customer financial information was compromised, but they have now discovered evidence suggesting more data was leaked and more customers were affected than previously believed.

For starters, for the approximately 7.8 million postpaid customers who T-Mobile previously identified in the leak, the carrier now believes that phone numbers and IMEI and IMSI information were also compromised on top of first and last names, date of birth, SSN, and driver’s license/ID information.

Next, the carrier says that an additional 5.3 million current postpaid customer accounts were compromised. Data that was illegally accessed includes names, addresses, date of births, phone numbers, IMEIs, and IMSIs, though the carrier says that SSN and driver’s license/ID information were not compromised.

The carrier previously stated that 40 million former or prospective T-Mobile customers had their names, DoB, SSN, and ID information compromised. Now, they state that an additional 667,000 accounts had their names, DoB, phone numbers, and addresses compromised but that their SSNs and ID information were not stolen.

Finally, T-Mobile says that up to 52,000 names of Metro by T-Mobile customers may have been leaked. However, no other personally identifiable information was compromised, and none of the information that was stolen pertain to former Sprint prepaid or Boost customers.

For more information on this data breach and T-Mobile’s ongoing investigation, visit this web page.

About author

Adam Conway
Adam Conway

I'm the senior technical editor at XDA-Developers. I have a BSc in Computer Science from University College Dublin, and I'm a lover of smartphones, cybersecurity, and Counter-Strike. You can contact me at [email protected] My Twitter is @AdamConwayIE and my Instagram is adamc.99.

We are reader supported. External links may earn us a commission.