Image: Mika Baumeister
American telecommunications provider T-Mobile has disclosed a data breach after an unknown number of customers were apparently affected by SIM swap attacks.
SIM swap fraud (or SIM hijacking) allows scammers to take control of targets' phone numbers after porting them using social engineering or after bribing mobile operator employees to a SIM controlled by the fraudsters.
Subsequently, they receive the victims' messages and calls which allows for easily bypassing SMS-based multi-factor authentication (MFA), stealing user credentials, as well taking over the victims' online service accounts.
The criminals can then log into the victims' bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts.
The FBI shared guidance on how to defend against SIM swapping following an increase in the number of SIM hijacking attacks targeting cryptocurrency adopters and investors.
Undisclosed number of SIM swap attacks
In a data breach notice sent to impacted customers on February 9, 2021, and filed with US attorney generals' offices, T-Mobile revealed that an unknown attacker gained access to customers' account information, including personal info and personal identification numbers (PINs).
As the attackers were able to port numbers, it is not clear if they gained access to an employee's account or did it through the compromised users' accounts.
A T-Mobile spokesperson was not available for comment when contacted by BleepingComputer earlier today.
"[A]n unknown actor gained access to certain account information. It appears the actor may then have used this information to port your line to a different carrier without your authorization," T-Mobile said.
"T-Mobile identified this activity—terminated the unauthorized access, and implemented measures to protect against reoccurrence."
The information accessed by the hackers might have included customers' full names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts.
"T-Mobile quickly identified and terminated the unauthorized activity; however we do recommend that you change your customer account PIN," the company also said.
Impacted T-Mobile customers are advised to change their account's password, PIN, as well as their security questions and answers.
T-Mobile is offering two years of free credit monitoring and identity theft detection services through Transunion's myTrueIdentity.
Fifth data breach in four years
This is the fifth data breach disclosed by T-Mobile during the last four years, all of them being reported after hackers gained access to customers' data.
T-Mobile previously suffered from breaches in 2018 when millions of customers' info was accessed by hackers and in 2019 after exposing prepaid customers' data.
Last year, the company disclosed two more breaches, one of them in March 2020, when attackers gained access to customer and employee data.
In December 2020, T-Mobile's suffered another data breach after unknown threat actors again accessed customers' phone numbers and call records.
Update February 27, 02:44 EST: The attackers used an internal T-Mobile application to target up to 400 customers in SIM swap attack attempts, BleepingComputer has learned. No T-Mobile for Business customers were impacted during this incident.
BleepingComputer knows of at least one T-Mobile customer impacted by a SIM hijacking attack during the last month.
Comments
Mallissin - 3 years ago
I left T-mobile server years ago after I got SIM swapped.
The fact so many telecom companies use the phone number as a login is ridiculous.
They need to change it so a user can setup their own login name. That might not stop all sim swapping or account breaches but it would be an extra step an attacker would need to know to break in.
Slott44 - 3 years ago
I got hacked on February 17 around 2:30am. The hacker swapped my sim and proceeded to change passwords on several accounts as well as place a 25000 dollar trade on the Gemini exchange afterwards, which of course I did not receive notification of on my phone nor email, as both were hacked at the time. Fortunately I caught the activity before any financial damage was done. As far as no T-Mobile for business customers being effected, that is not true, as I am a business customer with 13+ lines of service.
doekna - 3 years ago
this is no new news, i am at the moment fighting numerous problems because of the same thing including my bankaccounts getting drained of thousands of dollars rendering me near homeless. i get up to fifty calls a day and so many texts i cant differentiate between what might be mine or not. yesterday i got a text from ""credit bureau" saying to contact them about security breach,,, hmmm open it or not? opened it and it showed a big ol picture of a naked woman.... so who do you believe and what to do when banks want to blow you off and accuse you of fraud themselves.... what to do about any of it? i cant even trust info on my continous glucose monitor as being accurate.
bigmike61 - 3 years ago
What's funny is that I complained that I had actual proof that a tmobile employee tried to hack my account and nobody cared! On January 10th, I read an article about sim swapping and decided to call tmobile to check to see if there was anything more I could do to protect my sim. I told Kiera that there was no issue with my sim several times and that I was just checking. At 10pm I noticed that I had no phone service. I didn't freak out until I realized that all of my passwords were changed. I was able to get back control in time before Garbage Keira and her people were able to clean me out. When I called the next day, I was told that Garbage Kiera reported my call as a damaged phone and ultimately had my sim card replaced in someone else's phone. Rep #2 claimed that Garbage Kiera would never do such a thing, because she knew her personally and they worked on the same team and that my phone call must have been for a damaged phone/sim. I called the following day and asked Rep #3 if he could tell me exactly what line was used to make the initial call to Garbage Kiera. He gasped when he realized that the call was made from my phone using my sim. So I called using my phone to call to report my phone and sim damaged???? How can I prove all of this?? I have recordings of ALL phone calls!, including with slimy upper management!! They skirted the issue and so did the NY Attorney General! If anyone needs proof, I have all you need!!!
GeronimoWsb - 3 years ago
I've had trouble since October mainly everything people have listed. I insisted on a port freeze but tmobile insisted s high security password would solve it. It doesn't . They gained access to my Coinbase account and that account thankfully was frozen. Changed my number and all my passwords again.
doekna - 3 years ago
you know, this time someone wants to title it "sim card swap" and its a simple way out of yet another. issues have been never ending for me for several years and have run rampant through all my electronic devices like dominoes. its just too damned easy for a company to say "oh i'm sorry"- yet at the same time its also too easy for them to sit you down in an office and explain their "normal procedures and policies" which include things like 90 day limits, and no returns after x amount of days.. and of course how many times can they get out of any responsibility because of lack of evidence that was there, but when another phone and/or laptop wipes out so does all that evidence. this has been going on for years, not months.. my personal issues were figured out long ago and yet still goes totally unadmitted and stays buried somewhere in a qlink warehouse amoung all those employees working in that warehouse and hacking into government funded phones....oops, its not allowed to accuse companies... so sue me. you cant get into my locked checking account...i know this because niether can i. you can have the 3.17 thats left.
BangEmBoy - 2 years ago
I'm going through the EXACT SAME THING NOW . MetroPCS nor TMobile will listen to me about what is going on !!!! I have 4 lines with Unlimited Data, that I can't access !!!! No Internet on my phone, but t says that I am connected !!!! Has ANYTHING been/being done ?!?!?! Who do I contact/call !?!?! Certainly NOT T-Mobile or MetroPCS .