T-Mobile has confirmed that the Lapsus$ extortion gang breached its network "several weeks ago" using stolen credentials and gained access to internal systems.
The telecommunications company added that it severed the cybercrime group's access to its network and disabled the credentials used in the hack after discovering the security breach.
Per T-Mobile, the Lapsus$ hackers didn't steal sensitive customer or government information during the incident.
"Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software," a T-Mobile spokesperson told BleepingComputer.
"The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value.
"Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete."
Independent investigative journalist Brian Krebs first reported the breach after reviewing leaked Telegram chat messages between Lapsus$ gang members.
While inside the mobile carrier's network, the cybercriminals were able to steal proprietary T-Mobile source code, according to Krebs.
T-Mobile hit by multiple breaches in the last several years
Since 2018, T-Mobile has disclosed six other data breaches, including one where hackers accessed data belonging to 3% of its customers.
One year later, in 2019, T-Mobile revealed that it exposed prepaid customers' data, while in March 2020, unknown threat actors gained access to T-Mobile employees' email accounts.
In December 2020, hackers also gained access to customer proprietary network information (phone numbers, call records), and in February 2021, an internal T-Mobile application was accessed without authorization by attackers.
Several months later, in August, attackers brute-forced their way through T-Mobile's network following a breach of the carrier's testing environments.
In the wake of the August 2021 breach, T-Mobile unsuccessfully tried to stop the stolen data from being leaked online after paying the hackers $270,000 through a third-party firm, per a VICE report.
Last month, the New York State Office of the Attorney General (NY OAG) warned victims of T-Mobile's August data breach that they're facing increased identity theft risks after some of their stolen sensitive info ended up for sale on the dark web.
The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) also notified T-Mobile customers earlier this month of an unblockable SMS phishing campaign likely targeting them using info stolen in past data breaches.
Comments
h_b_s - 2 years ago
This is become a sad broken refrain from T-Mobile. I fear the only way to end this broken culture of lack of security is to make breaches really hurt financially both for the corporation and holding the managers personally responsible for their decisions, or lack of decision, leading to a breach. Then maybe this cesspool will get cleaned up.
JamesVanderPump - 2 years ago
This highlights the importance of not trusting your Telco. Unfortunately many entities still consider an SMS password reset acceptable. It is not. Your phone number should not be the weakest link in your account security.
darylzero - 2 years ago
Tmobile security is non existent! All the C level IT people should be fired.
In this day and ago why isn't all customer data encrypted!?!? When the hackers get in they could steal the database with customer info and it would be worthless if it was encrypted.
Tmobile and all other companies offering a year of credit monitoring is a joke! If your identity is stolen because of them it will cost you thousands of dollars and hundreds of hours of grief!