First came blockbuster claims over the weekend that the personal data of over 100 million of T-Mobile's users was breached and being sold.

In scale, this would be among the biggest carrier data breaches ever.

Now the operator has acknowledged it has indeed suffered a data breach involving "unauthorized access to some T-Mobile data."

Figure 1: Into the breach: T-Mobile has admitted hackers gained access – but are worryingly vague about what might have been stolen.
(Source: Gerd Altmann from Pixabay)

But T-Mobile says it doesn't yet know what's been taken.

A hacker posting on an online forum has asked for six Bitcoin (about $285,000) in return for 30 million social security numbers and driver's licenses from the stolen data, according to a report by Vice on Sunday.

The hacker said the data came from T-Mobile servers, and that the rest of the data was being sold privately.

The data trove includes names, telephone numbers, physical addresses, IMEI numbers of telephones, as well as social security numbers and driver's license details.

And that particular blend of data creates a recipe for crafting more believable SMS-based phishing messages. IMEI numbers in particular rarely become available on the dark web.

Hack attack

According to the hacker, T-Mobile misconfigured a gateway GPRS support node which was apparently used for testing, said Jeremy Kirk on Twitter.

That node was exposed to the Internet, allowing the hacker, who appears to be based in Belarus, then to pivot into the company's LAN.

The hacker could then "brute force/credential stuff SSH (secure shell) on more than 100+ servers, some Oracle," adds Kirk.

As these servers are internal, there is no rate limit on server queries.

"We are confident that the entry point used to gain access has been closed," promised T-Mobile in a statement Monday, adding while it was exploring what data had been illegally accessed, "this investigation will take some time."

They ransomware

"I think they already found out because we lost access to the backdoored servers," a seller on an underground forum told Vice's Motherboard.

The data trove, though, is "backed up in multiple places," after two-to-three weeks during which the hacking gang had access to T-Mobile's servers, the person added.

The magazine said it confirmed the accuracy of the data in a sample which the hackers shared, by contacting several of the T-Mobile customers in question.

This adds to the operator's woes on the heels of a ruling released on Friday, finding T-Mobile made "false and misleading statements" to California's public utilities commission about plans for Sprint's legacy 3G CDMA network.

The statements in question involved the operator saying under oath it planned to shut down the legacy network over a three-year timeframe.

It then accelerated this to next year, saying it needed the spectrum in question to support 5G services.

Dish, which bought Sprint's Boost Mobile prepaid brand during the merger, then complained to regulators it had been misled by T-Mobile.

The news also comes as 2021 turns out to be a big year for hacking globally.

In July, the US, UK, Nato, EU, Australia, New Zealand, Canada and Japan accused China of hacking into Microsoft's Exchange servers earlier this year, affecting governments and large corporations.

Want to know more about security? Check out our dedicated security channel here on Light Reading.

The unusually broad coalition characterized China's actions as "irresponsible, disruptive, and destabilizing."

Meanwhile, T-Mobile, which last year completed a $26 million merger with Sprint, has had bad luck with hackers.

In January, a breach saw 200,000 call records and subscriber data stolen.

In 2019, a breach on the operator's email systems saw employee email accounts and customer data hacked, while in 2018 as many as 2 million customers had their personal data scraped.

This may be the company's sixth known data breach in four years.

Related posts:

— Pádraig Belton, contributing editor special to Light Reading