On Friday August 14, 2021, a cyber threat actor listed a stolen database for sale on a hacking forum which includes data from a recent hack of servers belonging to T-Mobile that allegedly contains the sensitive personal data of around 100 million T-Mobile customers.
The database allegedly contains customer names, International Mobile Subscriber Identity numbers (IMSIs), International Mobile Equipment Identity numbers (IMEIs), phone numbers, dates of birth, security PINs, Social Security numbers, and driver’s license numbers. The hacker says the database has never been sold before and includes fresh data, including 30 million unique Social Security and driver’s license numbers. The database has been listed for sale for 6 BTC (around $270,000).
A sample of data has been included as proof, although the source of the data was not disclosed in the post. Both Motherboard and Bleeping Computer have contacted the seller who claims the database was stolen from T-Mobile. The seller provided proof of the hack in the form of a screenshot of an SSH connection to a T-Mobile Oracle production server. Checks performed on the sample appear to indicate the information is from genuine T-Mobile customers.
The hackers claim to have breached two servers used by T-Mobile for production, staging, and development, one of which was an Oracle database server containing customer information. Multiple databases are alleged to have been stolen, including T-Mobile’s customer relationship management database which, in total, include 106 GB of data. The seller claims the intrusion was likely detected as they lost backdoor access to the servers, although not before the databases were downloaded.
In hacks such as this it is common for threat actors to notify the breached entity and issue a ransom demand. If the ransom is paid, the data are returned, and all copies permanently deleted. In this case, that does not appear to have happened, instead the decision was taken to offer the database for sale on a hacking forum. The seller claims to already have been contacted by interested parties.
The decision not to first offer the data to T-Mobile suggests the cyberattack may have been conducted, in part, to harm T-Mobile, but the hackers told Hudson Rock CTO, Alon Gal the attack was conducted to harm US infrastructure.
In a conversation with Gal, the hackers said, “This breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019.”
Binns, a resident of Turkey, was a suspected ISIS terrorist who was investigated by the Federal Bureau of Investigation (FBI) over his alleged role in the Satori botnet conspiracy and other cybercrime cases.
Binns sued the FBI, CIA, and Department of Justice last year alleging he was harassed and tortured in relation to the investigation and is attempting to get the United States to release documents regarding those activities under the Freedom of Information Act.
T-Mobile issued a statement confirming it is aware of the claims of a data breach and has launched an investigation to determine the validity of the claims.
UPDATE: On August 16, 2021, T-Mobile confirmed that its systems had been breached, but had not determined whether customer data was stolen in the attack. On August 18, 2021, T-Mobile confirmed that customer data had been breached, and places the figure well below the amount stated by the seller of the data.
“Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers,” said T-Mobile. “At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed,” said T-Mobile. “We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files.”
T-Mobile confirmed the breach affected:
- 40 million former or prospective customers
- 850,000 T-Mobile prepaid users
- 7.8 million T-Mobile postpaid customers
In total, that is around 48.65 million individuals.
UPDATE #2 – T-Mobile has revised its figures and said the personal information of 54 million individuals has been compromised.
The new breakdown is as follows:
- 13.1 million current T-Mobile postpaid customer accounts: Data breached includes first and last names, dates of birth, Social Security numbers, and driver’s license information.
- 40 million former or prospective T-Mobile customers: Data breached includes first and last names, dates of birth, Social Security numbers, and driver’s license information.
- 667,000 accounts of former T- Mobile customers: Data breached includes customer names, phone numbers, addresses and dates of birth.
- 850,000 active T-Mobile prepaid customers: Data breached includes names, phone numbers and account PINs.
- 52,000 names related to current Metro by T-Mobile accounts.