UPDATE, Friday, Aug. 24, 3:00 pm ET: After this story was first published, a T-Mobile spokesperson told me that “encrypted passwords” were included in the compromised data. In its original announcement, the company said: “no passwords were compromised.”
When I asked why the company used that wording, the spokesperson said in a message: “Because they weren’t [compromised]. They were encrypted.”
The spokesperson declined to specify how those passwords were encrypted, or what hashing algorithm was used. Hours after this story was published, security researcher Nicholas Ceraolo reached out claiming that the data exposed in the breach was more than what T-Mobile disclosed. The researcher shared a sample of allegedly compromised data that included a field called “userpassword” and what looks like a hash, which is a cryptographic representations of a password. (Ceraolo said he was not involved in the hack but obtained the sample from a "mutual friend.")
According to two different security researchers, with whom Motherboard shared that hash, it may be an encoded string hashed with the notoriously weak algorithm called MD5, which can potentially be cracked with brute-forcing attacks.
Jeremi M. Gosney, a well-known password expert and CEO of the password-cracking firm Terahash,
analyzed the hash for Motherboard. Gosney said that while the hash algorithm is not totally clear, algorithm could likely be reverse engineered with access to a larger sample of hashes from the database.
Customers should assume their passwords have already been cracked and should change it, he told me in an online chat.
T-Mobile's CEO John Legere said in a tweet that "it’s always a good idea to regularly change account passwords."
The original story follows.
On late Thursday, T-Mobile revealed that hackers stole some of the personal data of 2 million people in a new data breach.
In a brief intrusion, hackers stole "some" customer data including names, email addresses, account numbers, and other billing information. The good news is that they did not get credit card numbers, social security numbers, according to the company.
In its announcement, T-Mobile said that its cybersecurity team detected an “unauthorized capture of some information” on Monday, Aug. 20.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
“Our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised” the announcement published on the company’s website read. “However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”
A company spokesperson told me that the breach affected “about” or “slightly less than” 3% of its 77 million customers.
“Fortunately not many,” the spokesperson said in a text message, adding she could not disclose the exact number.
The spokesperson added that the “incident” happened “early in the morning on Aug. 20,” when hackers part of “an international group” accessed company servers through an API that “didn’t contain any financial data or other very sensitive data.”
According to the spokesperson, on the same day of the intrusion, the cybersecurity team detected it.
“We found it quickly and shut it down very fast,” the spokesperson said.
The spokesperson said she couldn’t give “specifics” of the attack and did not know whether the hackers were criminals or part of a government.
T-Mobile is reaching out to victims directly via text message to notify them, she said.
The company wrote in the announcement that “all affected customers have been, or shortly will be, notified. If you don’t receive a notification than that means your account was not among those impacted by this incident.” T-Mobile also encouraged customers to contact customer service through 611 if they were concerned.
This is the latest in a seemingly endless series of security incidents for T-Mobile in the last year. In October of 2017, Motherboard revealed that hackers had found a nasty bug in a company website that allowed them to look up customers’ personal data just by having their phone numbers. The criminals used it to access customers’ personal information, leveraging it to steal cell phone numbers in the increasingly pervasive scam known as SIM swapping, or SIM hijacking.
T-Mobile initially said it had “found no evidence of customer accounts affected,” but that turned out not to be accurate. Days later, T-Mobile alerted “a few hundred customers” who had been targeted by hackers. Then, in February of this year, T-Mobile sent out a mass text warning customers of the threat of SIM swapping.
In February, a security researcher reported a “critical” bug in another T-Mobile site that would’ve allowed hackers to hijack customer’s accounts. It was fixed before anyone exploited it, according to the company.
Also, in 2015, T-Mobile was breached and lost the personal data—this time including social security numbers—of 15 million people.
This story has been updated with more information about previous security issues at T-Mobile, and the update about the passwords.
Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.