On August 16, telecommunications giant T-Mobile announced it was investigating a breach that allegedly exposed sensitive data from millions of T-Mobile customers in the United States. In a statement released on the same day, T-Mobile confirmed “unauthorized access” to their data, but had yet to determine if any personal customer data was involved.
The data breach first came to light when a Twitter user started posting about the details of the leaked information. Another user posted on a cybercrime forum, advertising over 100 million “freshly hacked” records from T-Mobile, claiming that they had the name, date of birth, SSN, driver’s license information, security PIN, address, and phone number of 36 million T-Mobile customers in the U.S.
After locating and closing the access point the company believed was used to gain access to their systems, T-Mobile continued to investigate the breach, which they called a highly sophisticated cyberattack, in the following days. As of August 17, they found that information from about 7.8 million current T-Mobile customers was compromised.
The company confirmed that the data from approximately 40 million former or prospective customers was also compromised. While they confirmed that phone numbers, account numbers, PINs, passwords, and financial information were not leaked, T-Mobile still urged its customers to proactively protect their accounts by changing their account PINs. For around 850,000 active customers whose names, phone numbers and account PINs were leaked, T-Mobile proactively reset their PINs and contacted them to let them know.
In response to the breach, T-Mobile offered two years of free identify theft protection services to affected customers, but for many, it might already be too late. With their leaked data available on the internet, it’s only a matter of time until scammers use this data to launch targeted phishing attacks. Known as “spear phishing,” these targeted attacks use personal information like your name, place of work, and interests to pose as a trusted source, like your boss. Because these attacks are highly personalized, they are much more effective than more general phishing attacks.
What might be more alarming is that the breach also leaked IMEI and IMSI information — the identifier numbers associated with a mobile phone, which compromises the security of SMS-based two-factor authentication. If you have ever received a text message with a one-time passcode to log into your bank or another online service, then you have used SMS-based two-factor authentication, or 2FA for short. Many organizations in finance, healthcare, and government use SMS-based 2FA as an extra layer of security to prevent unauthorized access with just a username and password.
However, two-factor authentication using SMS messages isn’t as secure as you might imagine. Because IMSI is the unique identifier for a mobile phone’s SIM card, a hacker can use stolen IMSI data to duplicate someone’s SIM card and gain access to their phone number. Then, by requesting a one-time passcode be sent to the phone number, they can enter their victim’s accounts, transfer money out of their bank accounts, and even lock them out completely.
Cybersecurity experts have called on consumers to stop using SMS 2FA for years, citing the growing trend of SIM swapping attacks that let hackers read any of their victims’ SMS messages, including those with one-time passcodes. Because SMS is built into the infrastructure of cellular networks, the security of SMS-based two-factor authentication relies on the security of these networks — which can be compromised, as the recent T-Mobile breach has shown.
SMS-based 2FA is popular because of its convenience: Users don’t need to download another app, and they can receive text messages on any type of mobile phone. However, this convenience reduces the security of SMS messages. Instead, I recommend using an authenticator app, like Authy or Google Authenticator, for two-factor authentication. Rather than receiving one-time passcodes via SMS, you can generate these security codes through the app, which can only be accessed on one device. By restricting 2FA to trusted devices rather than phone numbers, hackers cannot gain access to users’ accounts as easily.