T-Mobile data-breach website lets anyone sign up for identity-theft protection

T=Mobile coverage
(Image credit: T-Mobile)

Late on Wednesday (Aug. 18), T-Mobile posted a new web page dedicated to helping those current, former and prospective customers affected by the company's most recent data breach.

The first thing to notice is that T-Mobile does not seem to be limiting its offer of 2 years of free McAfee ID Theft Protection to affected individuals. Instead, from the look of the information you need to provide, it seems like T-Mobile is letting anyone sign up.

That's very unusual. Normally, a company suffering a data breach reaches out to affected persons via email or a posted letter to notify those people that their data has been compromised. 

If there's an offer of identity-theft-protection, the letter or email will include a code with which the affected individual can sign up for the service. This obviously discourages freeloaders who just want the free identity protection.

All T-Mobile wants is an email address and a phone number

But on the registration page for T-Mobile's free identity-theft protection, all you need to provide is an email address or a phone number. We did so, and were told on the following screen that we'd receive an email within a few days containing instructions on how to sign up for the ID-theft protection service.

Everyone who's ever had a postpaid T-Mobile account (one for which you get a monthly bill) should sign up for this protection. So should everyone who thinks they might have applied for a T-Mobile account in the past two decades, whether they ended up with an account or not.

Overall, however, throwing the gates open to all comers may indicate that T-Mobile doesn't know how to reach everyone who was affected. 

According to T-Mobile's own figures, not only did 7.8 million current T-Mobile customers have their names, addresses, dates of birth and Social Security numbers compromised, but so did a bit more than 40 million former customers and people who applied for T-Mobile accounts but never got them.

We're talking about more than one in five American adults possibly being affected by this data breach. It makes sense that T-Mobile might want to cast a wide net. 

Current T-Mobile customers with active accounts should be easy for the company to reach, but former customers may have changed their email addresses and phone numbers. 

Prospective customers who never opened an account may be even harder to contact, especially if the stolen data goes back to T-Mobile's establishment in 2002.

We figure T-Mobile might want to comb through the stolen data and match those applicants for free identity-theft-protection with the names and phone numbers of those people whose personal data was actually stolen. We'll let you know when we get that email from T-Mobile with identity-theft-protection setup instructions.

Other things you can do to protect yourself

Other aspects of the T-Mobile data-breach-assistance page are pretty good. There are links to pages that let you change your T-Mobile account PIN, change your T-Mobile account password and activate the company's free Account Takeover Protection and Scam Shield features, as well as to the breach-related McAfee ID Theft Protection.

If you're a current or former T-Mobile customer, you need to change your account PIN and password right away. The company has already reset the PINs for T-Mobile prepaid customers, as their passwords and PINs were definitely stolen, but postpaid customers should do this as well.

And, while this feels like beating a dead horse, consider switching to another carrier. This is at least the fourth, and by some counts the sixth, major T-Mobile data breach in the past three years. It won't be the last.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.