T-Mobile is Investigating an Alleged Data Breach That Would Affect 100 Million Users

Slashdot reader lightbox32 shared this report from Motherboard: T-Mobile says it is investigating a forum post claiming to be selling a mountain of personal data. The forum post itself doesn't mention T-Mobile, but the seller told Motherboard they have obtained data related to over 100 million people, and that the data came from T-Mobile servers.

The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.
Mashable points out that "it's entirely possible that the seller is misrepresenting the scope of the breach and/or the contents of the information they claim to be selling.

"T-Mobile likely isn't going to say anything until there's a clearer sense of the risks its customers are actually facing."

Re:

[spiritplumber]

https://en.wikipedia.org/wiki/... [wikipedia.org] Your shitposts are so unoriginal, they are covered by 80s futuristic movies set in the 2010s.

Re:

[BoogieChile]

Why does it need to be a weedy little liberal and not someone The Rock, Joe Tate, or Mick Foley? I find it very interesting that you need to specify that the marines pick on somebody so considerably not-their-own-size. Is that some kind of alt-right thing, or just your own malevolent little fantasies?

Whodunit?

[Prod_Deity]

*NSA has left the chat*

Re:

[Z00L00K]

But was it IMEI or IMSI numbers that were in the breach? If SIM data are there then this could be on a level where the perpetrators can create spoofed SIM cards in order to circumvent 2FA.

Re:

[gweihir]

Not really. That would require hacking each individual SIM.

Just for curiosity's sake

[williamyf]

In the end the buck stops with T-Mobile, but I just wander if the data comes from the pre merger Sprint side, the pre-merger T-Mobile side... with their different security and infosec procedures...

Or from the combined entity after Infosec procedures were homologated and uniformized.

Re:Just for curiosity's sake

[williamyf]

Does it matter? Peoples' SSNs don't change.

As I said, the buck stops with T-Mobil.

But it matters, for a couple of reasons.

From a learning standpoint, it helps to pinpoint which procedures failed. If it were sprint's so be it, they/we/all can analyze which one failed, and if it was weeded out by the homologation procedure.Ditto if it were T-Mobil's side.

But if it was the merged entity, it means that not only there was a security flaw in the procedures, but also, the homologation procedure to take "Best of breed" procedures failed.

Also, froma PR standpoint, if it happened with any side pre-merger, they can allege that going forward it will not repeat, because after homologation the flaw was taken out and they adopted best of breed procedures...

So yes, it matters, more than you can grasp.

Re:

[Z00L00K]

Well, there's a possibility to change your SSN: https://www.aarp.org/retiremen... [aarp.org]

Re:

[Sloppy]

Oh shit, you mean these are the same SSNs that were in the Equifax and other breaches? By Yog-Sothoth, what a waste of hard disk space. Hopefully they'll just merge the [presumably new] IMEI data into the existing database.

Re:

[TeTalon]

My guess is that it was the sprint servers. Because sprints security was always was crap, and they never felt they had to fix it.

web history

[RegistrationIsDumb83]

At least it doesn't include web browsing history, since that's a thing tmo collects and sells now (ugh)

Was Worried

[phalse phace]

I was worried we wouldn't see a data breach for 2021 considering there was one in 2017 [slashdot.org] and 2018 [slashdot.org] and 2019 [slashdot.org] and 2020 [slashdot.org]

Glad to see that T-Mobile is being consistent.

Why so much?

[PsychoSlashDot]

Is there some good reason why a cell provider needs all that information? Driver's license number? Social insurance number? Why?

I'd expect them to need name, address, and credit card number to be able to process payments. And if someone's doing online bill payment they shouldn't need any of that.

IMEI and phone number are obviously required in all circumstances.

So. Are there some federal laws requiring gathering all that other stuff because the customer is a radio operator or something? Or is it

Re: Why so much?

[trogdor8667]

SSN because they do credit checks on post pay. Drivers license is questionable though.

Re: Why so much?

[jnorden]

I think a SSN for a credit check is also bullshit. If you've got a credit card in good standing with decent history, that should be all they need. If they really want a credit score, you should be able to just print one out, and take it over to your local t-mobile store.

Folks really need to WAKE UP and stop answering every question that every website or company asks for. I don't give my ssn or birth-date to anyone except bona-fide medical agencies. (I always give an easy-to-remember but wrong birhdate to places like facebook, etc, who have no damn reason to be asking me.) Anyone that asks to record my driver's license # had better give me a damn good reason.

I think that basic common sense, both on the part of folks asking for and giving out personal data, could probably reduce the incidence of identity theft by 1/10.

Re:

[phalse phace]

I think a SSN for a credit check is also bullshit. If you've got a credit card in good standing with decent history, that should be all they need.

And how would a company verify your credit card record is in good standing without running a credit check?

If they really want a credit score, you should be able to just print one out, and take it over to your local t-mobile store.

Anyone with a modicum of skill can create a fake credit report, or borrow/use a stolen credit report.

You must never have signed up for phone/cable/internet service, rented a house/apartment, leased a car, etc because in my experience, they all required a SSN to run a credit/background check

Re:

[Known Nutter]

I think a SSN for a credit check is also bullshit. If you've got a credit card in good standing with decent history, that should be all they need.

And how would a company verify your credit card record is in good standing without running a credit check?

The fact that you have a credit card at all should be enough to establish suitable credit for the purposes of setting up an account for mobile phone service.

Worth pointing out that the SSN is also useful for credit reporting and debt collection.

Re:

[phalse phace]

The fact that you have a credit card at all should be enough to establish suitable credit for the purposes of setting up an account for mobile phone service.

Not when there are credit cards that require no credit check to get [nerdwallet.com]

Re:

[anoncoward69]

Those are essentially prepaid "gift" cards. You have to prepay whatever the credit limit is on it and keep it in good standing. A "secured credit card" Over time it looks good on your credit report if you keep it in good standing and then can get a real credit card or other loans.

Re:

[phalse phace]

The fact that you have a credit card at all should be enough to establish suitable credit for the purposes of setting up an account for mobile phone service.

I'd also like to point out that some banks offer virtual credit card numbers [experian.com]. If all it took to get mobile service and a phone is a credit card number, then

1) Create a virtual credit card number
2) Use it along with a fake name and address (e.g. unsold or abandoned house) as the service provider would have no way to verify information
3) Sign up for service online and get a $1000+ phone with $0 down (T-Mobile is running several offers like this)
4) Wait for phone to get delivered
5) Don't pay for service/Disapp

Re:

[anoncoward69]

SSN for reporting and collections is probably another reason. The "loan" on your $1500 phone may not show up as good payments on your credit report, but you know as soon as you start missing payments or end up in collections, they are going to report that to the credit agencies, just like making good payments on an apartment lease doesn't show up on your report, but if you start missing your rent, or get evicted, that will show up on your credit report.

Re:

[Aighearach]

They don't do a credit check for post-pay billing, only for buying a phone on credit.

Re:

[msk]

Medical providers don't have a valid requirement for your SSN.

Re:

[anoncoward69]

They take SSN and DL and run a credit check, because when you get a discounted phone and are paying for it over a 1 or 2 year term, they have essentially extended a loan to you, even though it does not appear on your credit report as a loan as far as I know. They want to know you're going to be good for making those payments over the term. If you're missing a ton of CC and other loan payments, they might think twice, or require you to put more as a "down payment" for the phone. If you buy your phone outrigh

Re:

[Gruntbeetle]

> I think a SSN for a credit check is also bullshit.

You think that's outrageous, try opening a pre-pay account. I tried to create a mobile wi-fi account with Verizon. I told them it was pre-pay and I brought my own device, but they still wanted my SS# to run a credit check. I said "Why? I will never owe you money. There is no risk." They said this is the way they normally do this.

Odd, I try to set up an account where they never extend credit to me and I pre-pay with cash I will NEVER get back. Yet I

Re:

[zippthorne]

They're both questionable. Additionally, the need for a credit check is questionable.

Devices that you are intended [by the providers] to replace every 18-24 months due to either fashion or wear shouldn't cost so much that you would be willing to consider financing.

Even if financing phones on a mass scale somehow makes sense, banks should offer an phone loans (similar to auto loans) that are secured against the phone and/or your account to offer a low interest rate, with no need to go through the phone compa

Re:

[phalse phace]

Is there some good reason why a cell provider needs all that information? Driver's license number? Social insurance number? Why?

I'd expect them to need name, address, and credit card number to be able to process payments. And if someone's doing online bill payment they shouldn't need any of that.

Driver's license is used to verify a person's identity (name and address).

Social Security number is used as an additional form of identity and to run a credit check for post-paid accounts. If the person has bad credit, then they'll get denied service.

Mobile phone service providers frequently run promos and they use the person's info in case the person signing up for service doesn't fulfill the terms of the deal.

For instance, T-Mobile is currently running a promo where you can get a 128GB iPhone 12 Pro Max f

Re:

[Z00L00K]

The IMEI (device identity) isn't really the business of the telco except to manage stolen devices, it's the IMSI (subscriber key) that's the important part.

Re:

[I75BJC]

Requests for this information is to correctly identify the client/customer.
Since the USA has Social Security, I assume this is what you mean by "Social insurance" and that you're not from the USA.
Congress changed the law on Social Security Numbers so that the SSN can be used to identify people.
At one time, a SSN was valid identification for commercial air flights.
Driver's License in the USA are issued by the State Governments. There are 50 states and a few other jurisdictions that may or may not issue

People need refuse giving the SSN

[schwit1]

Service providers want it for a credit check. I say no to all of them. They might want you to pay a few months in advance. Ok.
Medical providers want it. Tell them to make up a number

Financial institutions you don't have a choice.

Useless post ..

[terrorubic]

Useless post .. totally lacking in technical details.

t-mobile update

[Dr. Tom]

coincidentally, T-Mobile just pushed out an Android update