Possible T-Mobile data breach may affect 100 million customers — what you can do

T-Mobile MVNOs
(Image credit: T-Mobile)

Update: This breach is even worse that we thought. Click here.

A data thief claims to have stolen the information of 100 million customers from T-Mobile customers, and the company acknowledged it is investigating a possible data breach.

"We are aware of claims made in an underground forum and have been actively investigating their validity," the company told Vice Motherboard. "We do not have any additional information to share at this time."

The thief posted a For Sale sign on an online cybercriminal forum, asking 6 bitcoin (about $284,000 in U.S. dollars) for part of the purported T-Mobile data that supposedly includes 30 million Social Security numbers and driver's-license numbers. 

The seller told Vice Motherboard that the data on the other 70 million people is being sold privately. It all supposedly includes names, phone numbers, physical addresses and IMEIs (handset IDs). 

Bleeping Computer, which also saw the forum post and communicated with the seller, said the data also includes phone IMSIs (SIM card IDs), customer dates of birth and T-Mobile account PINs.

Vice Motherboard said it had confirmed that a sample of the data it saw was real. We don't know that for certain yet, but the types of customer data stolen overlap nicely with what T-Mobile admitted was swiped from its servers during an incident in March 2021, although T-Mobile said that breach involved only about 400 customers, not 100 million.

What you need to do about this

If you're a T-Mobile customer, it would be best to change your account PIN and password immediately. 

You might also want to consider subscribing to a identity-theft-protection service, as the apparent theft of Social Security numbers and dates of birth is putting a lot of people at serious risk. Just bear in mind that these services can get expensive.

Bleeping Computer noted that the post didn't mention that the data had come from T-Mobile, although the seller told both Bleeping Computer and Vice Motherboard that it had.

This is far from the first time that T-Mobile has responded to reports of a data breach. By our count, the company was hacked three different times in the past 18 months — March 2021, December 2020 and March 2020. The company was also hacked in August 2018

If you're serious about protecting your personal information, you may want to consider another wireless carrier with a better track record.

Update: Further comment from T-Mobile

In statements later Monday to Bleeping Computer, Vice Motherboard and ZDNet, T-Mobile confirmed that a breach did occur, but could not confirm what was taken and how many customers were affected.

"We have determined that unauthorized access to some T-Mobile data occurred; however, we have not yet determined that there is any personal customer data involved," said the T-Mobile statement. 

"We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed."

The seller of the stolen data told Bleeping Computer that T-Mobile's "entire IMEI history database going back to 2004" had been stolen.

An International Mobile Equipment Identity number, or IMEI, is a unique ID number given to every handset that can access GSM-based cellular networks, such as those operated by AT&T and T-Mobile.

Read next: Uber is the latest company to investigate a serious data breach, after a hacker appeared to gain access to internal systems

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.