Hackers who recently breached telecom giant T-Mobile managed to steal a bevy of personal data including Social Security Numbers, T-Mobile confirmed in an announcement on Wednesday.
The news corroborates some of what a hacker linked to the theft previously said when Motherboard broke news of the breach on Sunday, and signals the severity of T-Mobile's latest data exposure. The announcement says that the breach impacted 7.8 million current postpaid customers and 40 million former or prospective customers who applied for credit with the company.
"Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers," the announcement reads.
Do you work at T-Mobile and know anything else about this breach? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
The announcement is not especially clear to consumers in some places, and does not explicitly link which types of information were included in which subset of stolen data. But people applying for credit, such as the 40 million former or prospective customers who did so, typically provide their SSN. T-Mobile did not immediately respond to a request to clarify which data was exposed from each group. In an underground forum post, the hacker earlier offered to sell 30 million SSNs for around $270,000; they claimed to have data on 100 million people in all.
T-Mobile also said it had found that data on 850,000 prepaid customers was also exposed, including their names, phone numbers, and account PINs. "No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed," the announcement added.
"We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file," the announcement adds on top of that 850,000 set.
"We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away," the announcement reads. The company is also recommending that all postpaid customers change their PINs themselves.
T-Mobile said it is offering 2 years of free identity protection services from cybersecurity firm McAfee, and that it had started coordination with law enforcement around the breach.
Subscribe to our cybersecurity podcast CYBER, here.