Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,473
16,514


T-Mobile CEO Mike Sievert today penned a letter to T-Mobile customers apologizing for the recent data breach that impacted more than 50 million current, former, and prospective T-Mobile users.

tmobilelogo.jpg

Data that included names, phone numbers, addresses, birth dates, social security numbers, driver's license and ID info, IMEI numbers, and IMSI numbers was stolen and has been offered for sale.

"We didn't live up to the expectations we have for ourselves to protect our customers," wrote Sievert. "Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry."

He went on to say that T-Mobile is "disappointed and frustrated" and that keeping customer data safe is a responsibility that is taken "incredibly seriously." Preventing attacks is a "top priority" for the company.

The hacker who claims to have attacked T-Mobile's servers yesterday said that T-Mobile's security is "awful." The hacker said that he discovered an unprotected T-Mobile router in July and used that to access T-Mobile's data center in Washington, where he was able to get in using stored credentials.

Sievert said that T-Mobile is coordinating with law enforcement on a criminal investigation, and that the company is unable to disclose specific details at this time.
What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.
T-Mobile has now notified every current T-Mobile customer about the data breach, and is working to notify former and prospective customers. Those affected can visit T-Mobile's website dedicated to the attack, which provides tools for signing up for free McAfee ID Theft Protection, setting up Scam Shield, and using the Account Takeover Protection service.

In an attempt to prevent future attacks, T-Mobile has entered long-term partnerships with cybersecurity experts at Mandiant and with consulting firm KPMG LLP. T-Mobile is planning a multi-year investment into beefing up its security.

Article Link: T-Mobile CEO Apologizes for Data Breach, Shares Info on Future Security Plans
 
  • Wow
Reactions: KennethAdamsCom

mapsdotapp

macrumors newbie
Aug 19, 2021
22
51
T-Mobile does have terrible security, even from a consumer’s perspective. They support TOTP tokens for two-factor authentication, but even if one enables it you can still use SMS as a fallback. This defeats the whole point as SMS has known vulnerabilities and is deprecated as a 2FA measure by NIST. Oh and by the way, your Apple ID has this vulnerability too. Hope your phone number is secure.
 

Baritone_Guy

macrumors member
Feb 12, 2021
36
44
Looks like I escaped this one. On the account page it tells me that “at this time” my information was not effected. Last thing I need is another credit monitoring service.

Per the previous post they also need to give me an option to block SMS as a fall back.
 

nutmac

macrumors 603
Mar 30, 2004
5,294
4,817
All empty words.

T-Mobile should minimally implement:
  • Non-SMS 2FA: Integrate with more secure 3rd party SSO like Apple or Google, and allow customers to use only RFC-6238 without the SMS fallback.
  • Automated PIN Entry: Currently, T-Mobile representative asks customers to recite the PIN. A bank teller would never ask for your PIN. The entry should be done by an automated system.
  • Close the Backdoors: T-Mobile representative can bypass the PIN and reset it with easily hacked info like social security number and mother's maiden name. Resetting them should require third party knowledge-based authentication service.
  • Data minimization: Do not store sensitive info like social security number, birthdate, and driver's license. Customers should be required to enter these information whenever T-Mobile needs to pull credit report.
  • Data retention: When a customer leaves, encrypt and archive their data to entirely separate system that requires more stringent access control. And allow customers to delete them indefinitely.
 

Antes

macrumors regular
Nov 12, 2014
108
238
I actually had a nightmare last night because of this:where my phone was being hacked and I couldn’t do anything to stop it or turn off my phone. I know it ain’t real but yeah I guess you can say this security breach thing is kind of stressing me out.
 
  • Haha
Reactions: Gudi

oneMadRssn

macrumors 603
Sep 8, 2011
5,596
13,031
Europe
"At this time we have no information that indicates your SSN, driver’s license or government issued ID associated with your account were impacted."

Oh good! I was worried, because having McAfee seems like even worse than being hacked.
 

KFridman

macrumors member
May 8, 2020
67
21
New York State
I read there have been five hacks in three years. As much as I like the 55+ plan that costs me $70/month for two lines (and free MLBtv) I am having a hard time sticking with T-Mobile. I’m considering going back to Verizon after the new iphones come out next month. Maybe they’ll have some deal on the 12 or 13 for new subscribers.
 

Mr. Dee

macrumors 68040
Dec 4, 2003
3,252
5,253
Jamaica
Tried changing my PIN and all it did was sign me out of the TMOBILE app when I attempted to log in. They need to do better. And just add to that, I think this breach exposes why I have been getting so many scam calls lately.
 

KennethAdamsCom

macrumors newbie
Nov 13, 2019
25
17
San Jose, CA
T-mobile's customer support technology in general is total garbage. And this breach once again proves it.

And somebody's lying, the hacker or the CEO, and I'm betting the CEO. This story reports that the hacker "was able to get in using stored credentials" but the CEO says "the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods". Is it "stored credentials" or "brute force attacks" ? The CEO is full of crap.

I WAS a T-mobile customer for almost 8 years. Ironically 5 weeks ago I finally got around to dumping them, and chose Mint Mobile. Comparing T-mobile tech to Mint's is night and day. T-mobile's customer portal via web and app is embarrassing. Mint's app is stellar - it's how it should be done. With Mint you can sign up, get a free trial, activate your iPhone with an eSIM, activate a paid plan, switch plans and everything else, right within the Mint iOS app. And their web UI is a modern 2020s design.

I worked with a guy at Apple who just joined T-mo 5 months ago as their Chief Digital Officer, named Marcus East. Marcus must be kickin' himself for making the move.... or politicking his way into the CEO chair. 👿 😉
 

mapsdotapp

macrumors newbie
Aug 19, 2021
22
51
T-mobile's customer support technology in general is total garbage. And this breach once again proves it.

And somebody's lying, the hacker or the CEO, and I'm betting the CEO. This story reports that the hacker "was able to get in using stored credentials" but the CEO says "the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods". Is it "stored credentials" or "brute force attacks" ? The CEO is full of crap.

I WAS a T-mobile customer for almost 8 years. Ironically 5 weeks ago I finally got around to dumping them, and chose Mint Mobile. Comparing T-mobile tech to Mint's is night and day. T-mobile's customer portal via web and app is embarrassing. Mint's app is stellar - it's how it should be done. With Mint you can sign up, get a free trial, activate your iPhone with an eSIM, activate a paid plan, switch plans and everything else, right within the Mint iOS app. And their web UI is a modern 2020s design.

I worked with a guy at Apple who just joined T-mo 5 months ago as their Chief Digital Officer, named Marcus East. Marcus must be kickin' himself for making the move.... or politicking his way into the CEO chair. 👿 😉
Mint is a T-Mobile MVNO. Hope they did their homework and trust their network security.
 

KennethAdamsCom

macrumors newbie
Nov 13, 2019
25
17
San Jose, CA
Mint is a T-Mobile MVNO. Hope they did their homework and trust their network security.
Yup, I know. I'm sayin' Mint's customer support tech is radically better than T-mo's. And since the hack got into customer support dbs.... well, we can do the math.

And the customer support tech is one indicator of the management talent... or in the case of T-mo, the lack thereof.
 

thesoundofsettling

macrumors newbie
Aug 27, 2021
1
4
It's 2021. They could at a minimum start by salting and hashing customer PINs in their database. The account number and PIN are the only info needed to port out your number. It's honestly a joke that the PIN is stored in clear text.

I left T-Mobile last week. Right after porting, they locked me out of my online account. I called to ask about how my final bill would be delivered since I'm paperless. The rep asked for my name and phone number and then proceeded to read my mailing address to confirm that's where a bill will be sent. If you ever have a stalker that knows your name and phone number, T-Mobile customer service would be more than happy to hand out your home address.
 

nburwell

macrumors 603
May 6, 2008
5,099
1,991
DE
Apologies only go so far. As a current T-Mobile customer, I want to see them take the security of their customer accounts more seriously, since they obviously were not before.

I went ahead and changed my password and enrolled in the free identity theft monitoring, but the fact that this isn't the first time this happened has me seriously considering moving to another carrier (namely Verizon), even though I'd pay more per month between my wife and I.
 

KennethAdamsCom

macrumors newbie
Nov 13, 2019
25
17
San Jose, CA
they locked me out of my online account. I called to ask about how my final bill
T-mo did the exact same thing to my account, when Mint transferred my phone number T-mo killed my account so I couldn't login to confirm my account was closed and get bills. BTW: That transfer took less than 10 minutes - it was so fast I didn't count the exact amount, but it was <10.

Weeks later I had to call T-mo to email me my last bill. That was 11 days ago. I'm still waiting for it....

Once again, this goes to confirm T-mo's bad management and incompetent customer support.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.