T-Mobile’s massive data breach leaked info for 5.3 million additional customers

Business

The Verge 20 August, 2021 - 09:53am 61 views

The company revealed that hardware ID numbers for SIM cards and cellphones have also been stolen

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Now, T-Mobile has confirmed that for the 7.8 million on-contract, or postpaid, customers it already counted in the breach, data stolen includes the information mentioned Thursday (first and last names, dates of birth, Social Security numbers, and driver’s license / ID numbers), as well as phone numbers and IMEI / IMSI information. IMEI stands for International Mobile Equipment Identity and is a number that’s assigned to every mobile device.

IMSI stands for International Mobile Subscriber Identity and is the identifier for the SIM card to which your mobile phone number is tied. That kind of data could be used to track mobile devices or assist in SIM swapping attacks where someone hijacks your phone number to intercept two-factor authentication codes or other information.

Additionally, 5.3 million more postpaid customers have also been identified as part of the breach, but without revealing their driver’s license / ID or Social Security numbers. The same goes for an additional 667,000 accounts of former T-Mobile subscribers that are being added to the total. Former Sprint prepaid and Boost Mobile customers are still in the clear, however, 52,000 names tied to Metro by T-Mobile accounts were stolen.

An unspecified number of files contained “phone numbers, IMEI, and IMSI numbers.” According to T-Mobile that did not include any personally identifiable information, which is a questionable claim since it could be easy to tie someone’s identity to their phone number based on other leaked data or simply browsing publicly available listings.

The FCC already announced it’s investigating the incident, and at least one class-action lawsuit has been filed against T-Mobile, calling its response and promised two years of identity protection services “inadequate.” The investigation is still ongoing, but T-Mobile customers (current, former, or just prospective ones who filled out an application) can go here for more information.

Subscribe to get the best Verge-approved tech deals of the week.

Please confirm your subscription to Verge Deals via the verification email we just sent you.

Read full article at The Verge

T-Mobile’s data breach is even worse than we thought

The Wall Street Journal 20 August, 2021 - 09:53am

The company revealed that hardware ID numbers for SIM cards and cellphones have also been stolen

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Now, T-Mobile has confirmed that for the 7.8 million on-contract, or postpaid, customers it already counted in the breach, data stolen includes the information mentioned Thursday (first and last names, dates of birth, Social Security numbers, and driver’s license / ID numbers), as well as phone numbers and IMEI / IMSI information. IMEI stands for International Mobile Equipment Identity and is a number that’s assigned to every mobile device.

IMSI stands for International Mobile Subscriber Identity and is the identifier for the SIM card to which your mobile phone number is tied. That kind of data could be used to track mobile devices or assist in SIM swapping attacks where someone hijacks your phone number to intercept two-factor authentication codes or other information.

Additionally, 5.3 million more postpaid customers have also been identified as part of the breach, but without revealing their driver’s license / ID or Social Security numbers. The same goes for an additional 667,000 accounts of former T-Mobile subscribers that are being added to the total. Former Sprint prepaid and Boost Mobile customers are still in the clear, however, 52,000 names tied to Metro by T-Mobile accounts were stolen.

An unspecified number of files contained “phone numbers, IMEI, and IMSI numbers.” According to T-Mobile that did not include any personally identifiable information, which is a questionable claim since it could be easy to tie someone’s identity to their phone number based on other leaked data or simply browsing publicly available listings.

The FCC already announced it’s investigating the incident, and at least one class-action lawsuit has been filed against T-Mobile, calling its response and promised two years of identity protection services “inadequate.” The investigation is still ongoing, but T-Mobile customers (current, former, or just prospective ones who filled out an application) can go here for more information.

Subscribe to get the best Verge-approved tech deals of the week.

Please confirm your subscription to Verge Deals via the verification email we just sent you.

Woman on Boston flight fined $29,000 for refusing to wear a mask, punching a passenger

CNET 20 August, 2021 - 07:56am

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

These cookies may be set through our site by us or our partners. These are cookies that may allow us to count visits and traffic sources so we can measure and improve the performance of our site. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

How to protect your T-Mobile account in light of the latest data breach

TechRepublic 20 August, 2021 - 07:29am

A cyberattack against T-Mobile has resulted in the theft and compromise of certain personal data of almost 50 million people. This week, the carrier acknowledged a major data breach in which cybercriminals obtained the first and last names, dates of birth, Social Security numbers (SSNs) and driver's license/ID numbers of 7.8 million current T-Mobile postpaid customers and more than 40 million former or potential customers who applied for credit with the company. Also compromised were the names, phone numbers and account PINs of around 850,000 active T-Mobile prepaid customers.

Responding to the breach, T-Mobile implemented a few measures, such as two years of free identity protection services with McAfee's ID Theft Protection Service and Account Takeover Protection for postpaid customers. Further, the company has advised all postpaid subscribers to change their PIN, even though it said it wasn't aware of any postpaid account PINs being compromised.

Much of data stolen by the attacker is reportedly already up for sale on the Dark Web. The breach came to light earlier this week upon news that T-Mobile was investigating an underground forum post from someone claiming to be selling customer data obtained from T-Mobile servers, according to tech news site Motherboard.

The data up for grabs included Social Security numbers, phone numbers, names, physical addresses, unique IMEI numbers and driver's license numbers. Motherboard said it looked at samples of the data and confirmed that it contained details on T-Mobile customers.

Much of this data seems destined to end up in the hands of cybercriminals, who will use it for account compromises, identity theft and other illegal activities. That means now would be a good time for all T-Mobile users to take steps to protect and secure their account, including changing the password and PIN and setting up two-step verification. Here's how to do just that.

Sign into the My T-Mobile website to access your account. At the account page, click on the My T-Mobile menu in the upper right and select My Profile. At the Manage profile page, click the first option for Profile information. Scroll down the Profile information page and click the Edit link in the Password section. Type your current password and then create, type and re-type a new password, trying to follow the usual guidelines for devising a strong and secure password. Click Save.

Next, click the Edit link in the PIN section. Type and then re-type a new numerical PIN, creating one with at least six digits. Click Save.

At this screen, you can also set up your security questions if you haven't already done so or you wish to change them. Click the Edit link in the Security Questions section. Choose or change the first, second and third questions, providing an answer for each one. When done, click Save.

To set up two-step verification for your account, look for a section for Two-Step Verification Options. Your best bet here is to use an authentication app, and T-Mobile steers you to Google Authenticator. If you don't already have this app, download it for your iPhone or Android phone. Back at the website, click the Set up link for Google Authenticator. At the next screen, click Get Started. The page should display a QR code.

Open the app on your phone. Tap the plus icon at the bottom of the screen and select the option for Scan a QR code. Scan the code on the webpage with your phone. Click the button to Continue setup. Enter the current six-digit code for your T-Mobile account as displayed in the app on your phone. Click the button to Confirm Code. Each time you sign into your account, T-Mobile will ask you to enter the current code from Google Authenticator.

Finally, you can further protect your account by requiring a password and additional verification method each time you sign in. To do this, turn on the switch for the option that says: "When this option is on, we'll ask you to provide your password and a second verification method every time you log in."

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.

Business Stories