We reported earlier this month a bug on T-Mobile website that enabled hackers to access personal user data with nothing but the subscriber's phone number. The company had said it fixed the bug and that it didn't affect anyone. T-Mobile has now alerted its customers who were targeted by criminals trying to hijack their SIM cards.
"T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," security researcher Karan Saini who discovered the flaw had said.
Further research had revealed that criminals were actually aware of this website bug for months and had a YouTube video up and running helping others on how to exploit it before it got fixed.
T-Mobile starts alerting victims of "SIM hijacking"
Over 76 71 million customers were at potential risk of "SIM swapping" where criminals take over phone numbers by requesting new SIM cards impersonating legitimate owners. T-Mobile has now said that it has alerted hundreds of its customers who were targeted by attackers trying to hijack their SIM cards.
Using the website bug, hackers could have accessed customer's email address, billing account number, IMSI, and other such details. T-Mobile says no financial data was at risk. However, even this data is enough for criminals to swap the target's SIM cards and potentially use it for nefarious purposes, including getting into banking accounts that rely on SMS-based two factor authentication.
While T-Mobile hasn't specified the exact number of customers who were targeted, in a statement to Motherboard, the company spokesperson said it was "a few hundred."
"We found that there were a few hundred customers targeted. We take our customers' privacy very seriously and called all of those customers to inform them that some of their personal data appeared to have been accessed by an unknown third party. We also offered to work with them to ensure their account remains secure."
Similar to other companies trying to recover from major security disasters, T-Mobile had also initially said that it had found no evidence of any "customer accounts affected as a result of this vulnerability." Security experts continue to warn this strategy only ensures that potential victims don't take their security seriously believing the official statement. Instead, they recommend companies to proactively inform their consumers of any such breaches, attacks, and data leaks before they find any evidence, often weeks and months into investigation.
However, with Equifax, Accenture, and now T-Mobile, it is clear that we are going to be seeing a lot of "no evidence of active attacks" in the future as the number of cyberattacks grow and stories of poor security practices keep coming to the front.
- Note: In an email to Wccftech, T-Mobile claimed that it didn't notify anyone of SMS hijacking; the victims' data was accessed by a third party. The original Motherboard story continues to suggest that the reporter was contacted by the company saying that "someone was trying to duplicate" his SIM card (SMS hijacking). T-Mobile hasn't clarified if earlier reports of successful SMS hijacking are due to this data exposure. In any case, readers are suggested to enable "SMS Lock."
