100m T-Mobile Customer Records Purportedly Up for Sale

UPDATE: T-Mobile confirmed the breach, but hasn’t confirmed whether customer data was involved. The offer: 30m records for ~1 penny each, with the rest being sold privately.

A threat actor is selling what they claim to be 30 million T-Mobile customers’ Social Security and driver license numbers on an underground web forum. The collection is a subset of the purported 100 million records contained in stolen databases.

The seller told Motherboard – which first reported the news – that for now, they’re privately selling the rest.

The seller also told Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, that this sucker-punch to US infrastructure was done in retaliation, as Gal tweeted on Sunday: “This breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019,” the threat actor told Gal. “We did it to harm US infrastructure.”

https://twitter.com/UnderTheBreach/status/1426923538099970050

Binns is a US citizen who lives in Turkey and who sued the FBI, CIA and Department of Justice in 2020, alleging that he was tortured and harassed by the US and Turkish governments and is seeking to compel the USA to release documents regarding these activities under the Freedom of Information Act.

Infosec Insiders Newsletter

The seller’s offer doesn’t mention T-Mobile, but the seller told Motherboard and BleepingComputer that the source is in fact the telecommunication kingpin’s servers. Specifically, they claim to have penetrated T-Mobile’s production, staging, and development servers two weeks ago, including an Oracle database server that held the customer data, according to what they told BleepingComputer.

As proof of the theft, the threat actor shared with BleepingComputer a screenshot of an SSH connection to a production server running Oracle.

081621 13:50 UPDATE: On Monday morning, T-Mobile told news outlets that it’s investigating the alleged data breach, which first came to light on an underground forum over the weekend. On Monday afternoon, the company confirmed to Threatpost that it has determined that there’s been unauthorized access to “some T-Mobile data,” though it didn’t answer questions about the scope of the breach.

T-Mobile hasn’t  yet determined whether personal customer data was involved but said that it was “confident that the entry point used to gain access has been closed,” confirming the threat actor’s claim that the telecom giant had closed down whatever backdoor they’d crawled through. T-Mobile also said that a “deep technical review of the situation” across its systems to identify the nature of any data that was illegally accessed is currently ongoing.

“This investigation will take some time but we are working with the highest degree of urgency,” the statement continued. “Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”

The company said that it’s working with law enforcement on the incident. Its full statement is included below.

Even if T-Mobile hasn’t yet confirmed that their personal data was involved in the breach, T-Mobile customers would be well-advised to change their security PINs, given the laundry list of details that were purportedly exposed. The seller told BleepingComputer that the records contain:

  • Social Security numbers
  • Phone numbers
  • Names
  • Security PINs
  • Physical addresses
  • Unique IMEI numbers
  • IMSI numbers
  • Driver license numbers
  • Dates of birth

The attacker told BleepingComputer that T-Mobile’s “entire IMEI history database going back to 2004 was stolen.” IMEI (International Mobile Equipment Identity) is a unique 15-digit code that precisely identifies a mobile device with the SIM card input, and an IMSI (International mobile subscriber identity) is a unique number that identifies every user of a cellular network.

Fresh Baked, and Such a Bargain

The asking price for the 30m records is six bitcoin, which was worth about $280,000 as of Monday morning East Coast time.

BleepingComputer posted a screenshot of the forum post, which claimed that the records are “Freshly dumped and NEVER sold before!” It added that “SERIOUS BUYERS ONLY!” should inquire.

Forum post. Source: BleepingComputer.

Motherboard’s Joseph Cox has seen samples of the data and confirmed that it’s accurate information belonging to T-Mobile customers. In short, the records contain “Full customer info” for T-Mobile USA customers, the threat actor told Motherboard in an online chat.

T-Mobile has apparently responded by turning off the leaky faucet(s): The seller told Motherboard that they’ve “lost access to the backdoored servers.”

No matter, the purported thief said: They already made backups “in multiple places.”

Cybersecurity intelligence firm Cyble told BleepingComputer that the threat actor claims that they obtained several databases, totaling approximately 106GB of data, including T-Mobile’s customer relationship management (CRM) database.

A Penny Per Person

The asking price is crazy cheap, one expert told Threatpost: It comes out to about a penny per purported victim. That’s quite a bargain for cybercrooks, given that the records are rich in data that can be used to conduct ” targeted mobile attacks, social engineering, sophisticated phishing campaigns or financial fraud.”

Ilia Kolochenko, founder of the Swiss app sec firm ImmuniWeb and a member of the Europol Data Protection Experts Network, told Threatpost that what’s even worse is that the records reportedly encompass data from 2004 to 2021 and “can cause extreme invasion of privacy or be used for blackmailing of wealthy victims.

“Given that the offer seems to be new and unique, the price is very cheap: just 1 cent per victim. The records, which allegedly contain such extremely sensitive data as social security numbers and full histories of mobile phone usage, can be exploited to conduct targeted mobile attacks, social engineering, sophisticated phishing campaigns or financial fraud,” Kolochenko said via email.

Kolochenko thinks it’s “pretty likely” that one of T-Mobile’s suppliers could have unwittingly facilitated or caused the data breach, “Based on the available technical information.”

“If so, it will be another grim reminder about the importance of Third-Party Risk Management (TPRM) programs and risk-based vendor vetting,” he noted.

T-Mobile could be in for a world of legal hurt if the breach is confirmed, Kolochenko predicted. “T-Mobile may face an avalanche of individual and class action lawsuits from the victims, as well as protracted investigations and serious monetary penalties from the states where the victims are based.

Nonetheless, it’s too early to freak out, Kolochenko advised: “It would be premature to make conclusions before T-Mobile makes an official statement on the quantity and nature of the stolen data. The potential victims should refrain from panic and contact T-Mobile asking what type of intermediary support and compensation may be provided while the investigation is in progress. Some remediate actions, such as changing your driving license, may be time-consuming and costly, and I’d not precipitate here unless T-Mobile undertakes to cover the costs or confirm that the information was actually stolen.”

One of the Year’s Biggest Breaches

If T-Mobile was in fact breached, and if 100 million customers’ data was in fact involved, it won’t be the biggest breach so far this year. It’s outdone by the LinkedIn breach in June, in which 700 million users’ data was posted for sale on the underground.

Still, it’s up there.

Jack Chapman, vice president of threat intelligence at Egress, told Threatpost on Monday that the threat to T-Mobile is high. “The data leaked in this breach is reported as being already accessible to cybercriminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims,” Chapman said in an email.

He advised affected customers to be wary of “any unexpected communications they might now receive, whether that’s over email, text messages or phone calls. Follow-up attacks may utilize the information accessed through this data breach to trick people into sharing more personal data that can be used for identity and financial fraud.”

Chapman added that the incident “highlights the need for organizations such as T-Mobile to put in place the right technology to secure their sensitive data and defend their employees and their company from targeted attacks by cybercriminals. It’s time for organizations to take responsibility and ensure they’re keeping their customers’ data out of the hands of cybercriminals.”

UPDATE: Breach Confirmed, T-Mobile Works ‘Around the Clock’ on Investigation

081621 15:48 UPDATE: T-Mobile provided the following statement to Threatpost:

“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.

“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

“We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.”

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Suggested articles