Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Digital Security

Huntn

Huntn

macrumors Penryn
Original poster
May 5, 2008
24,623
27,722
The Misty Mountains
T-Mobile Security Breach 2021
This morning I woke up to news that T-Mobile had suffered a serious data breech.

www.npr.org

A T-Mobile Breach Exposed Nearly 50 Million People's Personal Data

Names, Social Security numbers and birth dates were compromised; phone numbers, account numbers, passwords and financial information were not. T-Mobile is offering free identity protection services.
www.npr.org www.npr.org

I read about suggestions to change password, which I did and I set up 2factor security, which I think I already had, in that T-Mobile wanted to send my phone a code, but I added google authenticator into the mix. Now if social security numbers are exposed, that's a different problem.

Then I did a search on the T-mobile data breach 2021 I found this page that talks all about it and what you should do about it, including info for signing up to free McAfee identity theft protection for 2 years. :

Online Safety Resources | T-Mobile Privacy Center

Think you could improve your online security? Learn about protecting yourself online, how to identify fraud schemes, and where to go if you need help.
www.t-mobile.com

Here is the interesting part. While I was signed up to my T-Mobile account,

www.t-mobile.com

Contact Us | T-Mobile

Have a question about your phone or plan? Contact us 24 hours a day 7 days a week for the best customer service!
www.t-mobile.com

I found no notifications of this data breach, including the info about signing up for McAfee that was provided on the second link posted. You might notice in the second link the url, after t-mobile.com there is a /brand. I don't know if this is suspicious or not or if the previous link is legitimate or not. So I called T-mobile and the wait to talk to someone was only 90 minutes.

I am very hesitant to start entering my data in link 2 until I talk to someone at T-mobile...
 
Update after a 1.5 hr call back time, then disconnected, then a 2 hour call back time, I finally talked to someone and I found out the page I questioned is legetimate and I have started the sign up process.
 
Huntn said:
Update after a 1.5 hr call back time, then disconnected, then a 2 hour call back time, I finally talked to someone and I found out the page I questioned is legetimate and I have started the sign up process.
Click to expand...
Yes, it's definitely legit.
forums.macrumors.com

Anyone else notified their T-Mobile personal details were compromised?

I read yesterday about the data breach and took the recommended steps including changing PIN, password, enabling port protection, signed up for the free two-year McAfee Identity Theft monitoring ... it's quite a list. Today I was personally notified via text that my credit card info had been...
forums.macrumors.com forums.macrumors.com
 
  • Like
Reactions: Huntn
WildSky said:
Yes, it's definitely legit.
forums.macrumors.com

Anyone else notified their T-Mobile personal details were compromised?

I read yesterday about the data breach and took the recommended steps including changing PIN, password, enabling port protection, signed up for the free two-year McAfee Identity Theft monitoring ... it's quite a list. Today I was personally notified via text that my credit card info had been...
forums.macrumors.com forums.macrumors.com
Click to expand...
I did not realize I could change my pin, will do that today. :oops:
 
The breach was actually reported around Tuesday (the 17th) I believe. Could have been Monday. I was finally able to change my password on Thursday (I couldn't do it Wednesday).

T-Mob is also (FINALLY) offering port-out protection. You have to add it per line (it's in the Manage Addons section for each line on your account) and it's only for voice lines.

Previously, a 'no-port' option was only available to business accounts. But T-Mob has finally been forced to implement it here I think.

As far as 2FA, yes, I too have Google Authenticator added. The problem is this is an all or nothing proposition. It's either on, with a choice of how to authenticate, or it's all off. So, someone trying to sim-jack you can simply ignore Google Authenticator and choose to authenticate as you some other way (like using your phone number to send the code).
 
eyoungren said:
The breach was actually reported around Tuesday (the 17th) I believe. Could have been Monday. I was finally able to change my password on Thursday (I couldn't do it Wednesday).

T-Mob is also (FINALLY) offering port-out protection. You have to add it per line (it's in the Manage Addons section for each line on your account) and it's only for voice lines.

Previously, a 'no-port' option was only available to business accounts. But T-Mob has finally been forced to implement it here I think.

As far as 2FA, yes, I too have Google Authenticator added. The problem is this is an all or nothing proposition. It's either on, with a choice of how to authenticate, or it's all off. So, someone trying to sim-jack you can simply ignore Google Authenticator and choose to authenticate as you some other way (like using your phone number to send the code).
Click to expand...
As to the latter, I agree. When a person has 2FA enabled, authenticating the other ways should be disabled. Keeping all enabled with no way to turn off is another open security risk by T-Mobile.
 
  • Like
Reactions: eyoungren
Apple_Robert said:
As to the latter, I agree. When a person has 2FA enabled, authenticating the other ways should be disabled. Keeping all enabled with no way to turn off is another open security risk by T-Mobile.
Click to expand...
Yeah, T-Mob finally added authenticator apps about a year ago (maybe sooner). But it's pointless if you can still use a phone number. Someone trying to sim-hijack is just going to ignore the authenticator option and go with the phone number.

T-Mob has a lot of smart tech people - I just don't get why they are so infantile when it comes to security.
 
eyoungren said:
Yeah, T-Mob finally added authenticator apps about a year ago (maybe sooner). But it's pointless if you can still use a phone number. Someone trying to sim-hijack is just going to ignore the authenticator option and go with the phone number.

T-Mob has a lot of smart tech people - I just don't get why they are so infantile when it comes to security.
Click to expand...
With a strong PIN code and port protection turned on, SIM Hijacking will be a little less likely.

T-Mobile customers should also create strong answers to the account questions by providing the answers in the form of DICEWARE.
 
  • Like
Reactions: eyoungren
My (depressing) belief is that while it is important to do all the user-level things possible to guard against SIM swapping and port outs, there isn't any way for mobile phone subscribers to stop retail store and call center employees from working with criminals. Let's face it: it is very tempting for somebody who is paid only $10–or even $15!–an hour to accept an offer to make a few thousand bucks by using their internal access to transfer control of targeted phone numbers. Also, more generously, social engineering tactics remain effective in convincing well-meaning customer service people to make changes to cell service.

So I think anybody who has valuable or sensitive assets, data, or accounts that could be stolen using a port out or SIM swap should consider doing things such as:
  • Stop using text message-based 2FA wherever possible
  • Not discussing finances, especially cryptocurrency holdings, on social media using accounts that are easily linked to you
  • Use a phone number that is difficult to attack, such as a landline or Google Voice number, with accounts that need high security
 
  • Like
Reactions: 0128672
I got a message from "T-Mobile" telling me about new features. For the record, nothing new has been mentioned on T-mo's website that I haven't known about in the past few months, so Moussey senses tingling. All I gotta do is login to my account and verify my personal info.🤔 Sounds legit.😂 OooOoooOOoo an embedded link, how convenient.🤣🤣🤣

Something tells me, my personal data wasn't among the stolen data. I'm breathing easier now. They did get a list of phone numbers and mine was among them. Go fish.😑
 
eyoungren said:
The breach was actually reported around Tuesday (the 17th) I believe. Could have been Monday. I was finally able to change my password on Thursday (I couldn't do it Wednesday).

T-Mob is also (FINALLY) offering port-out protection. You have to add it per line (it's in the Manage Addons section for each line on your account) and it's only for voice lines.

Previously, a 'no-port' option was only available to business accounts. But T-Mob has finally been forced to implement it here I think.

As far as 2FA, yes, I too have Google Authenticator added. The problem is this is an all or nothing proposition. It's either on, with a choice of how to authenticate, or it's all off. So, someone trying to sim-jack you can simply ignore Google Authenticator and choose to authenticate as you some other way (like using your phone number to send the code).
Click to expand...
Is there a charge for this?

For those unfamiliar like myself:
www.howtogeek.com

What Is a Phone "Port-Out" Scam, and How Can I Protect Myself?

You'd be forgiven if you've never heard of a phone "port-out" scam, because up until recently it wasn't really a widely talked about issue.
www.howtogeek.com www.howtogeek.com
 
It says free in the description:

"Use our free Account Takeover Protection service to help protect against an unauthorized user fraudulently porting out and stealing your phone number (postpaid only)."

Online Safety Resources | T-Mobile Privacy Center

Think you could improve your online security? Learn about protecting yourself online, how to identify fraud schemes, and where to go if you need help.
www.t-mobile.com
 
  • Like
Reactions: jonaswood and Huntn
eyoungren said:
There should NOT be. On all my lines it said free.
Click to expand...
Just went to T-mobile and logged in could not find Managed Addons, did a search and found this, however my T-Mobile App is not working this morning, it just says "Hello there" and that includes after uninstalling and reinstalling it. :confused: At T-mobile.com, under "I want to managed addons" that is not listed as a choice. So I'll have to call them later. o_O

T-Mobile app​

  1. Open the app and tap Account.
  2. Tap the picture of the phone.
  3. Tap Plan details tab at the top.
  4. Tap Manage data & Add-ons at the bottom.
  5. Select the plan or service, click Continue.
  6. Review the summary and click Agree & submit..


T-Mobile.com​

  1. Go to T-Mobile.com and log in to your account as the Primary Account Holder.
  2. In the I want to... section, click Manage add-ons.
  3. Select your plan or service, then click Continue (at the bottom of the page).
  4. Review the summary and click Agree & submit.
 
WildSky said:
It says free in the description:

"Use our free Account Takeover Protection service to help protect against an unauthorized user fraudulently porting out and stealing your phone number (postpaid only)."

Online Safety Resources | T-Mobile Privacy Center

Think you could improve your online security? Learn about protecting yourself online, how to identify fraud schemes, and where to go if you need help.
www.t-mobile.com
Click to expand...
It would be nice if I could find this feature at the site under my account. 🤔
 
Huntn said:
Just went to T-mobile and logged in could not find Managed Addons, did a search and found this, however my T-Mobile App is not working this morning, it just says "Hello there" and that includes after uninstalling and reinstalling it. :confused: At T-mobile.com, under "I want to managed addons" that is not listed as a choice. So I'll have to call them later. o_O

T-Mobile app​

  1. Open the app and tap Account.
  2. Tap the picture of the phone.
  3. Tap Plan details tab at the top.
  4. Tap Manage data & Add-ons at the bottom.
  5. Select the plan or service, click Continue.
  6. Review the summary and click Agree & submit..


T-Mobile.com​

  1. Go to T-Mobile.com and log in to your account as the Primary Account Holder.
  2. In the I want to... section, click Manage add-ons.
  3. Select your plan or service, then click Continue (at the bottom of the page).
  4. Review the summary and click Agree & submit.
Click to expand...
Try starting with one of your lines first (where it lists the addons for the line). Also, this only works for VOICE lines.
 
When I added it to my line, it had to be done via phone call. It's not one of those features you can enable yourself ... unless they changed it in the last couple of weeks.
 
  • Sad
Reactions: Huntn
WildSky said:
When I added it to my line, it had to be done via phone call. It's not one of those features you can enable yourself ... unless they changed it in the last couple of weeks.
Click to expand...
So I get to listen to the routine higher call volumes message for some length of time. Waits have really become ridiculous. :oops:
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back