The first thing to notice is that T-Mobile does not seem to be limiting its offer of 2 years of free McAfee ID Theft Protection to affected individuals. Instead, from the look of the information you need to provide, it seems like T-Mobile is letting anyone sign up.
- Companies that don't protect your data don't deserve your business
- The best identity theft protection services
- Plus: Your food-delivery app is under attack by hackers so here's what to do
That's very unusual. Normally, a company suffering a data breach reaches out to affected persons via email or a posted letter to notify those people that their data has been compromised.
If there's an offer of identity-theft-protection, the letter or email will include a code with which the affected individual can sign up for the service. This obviously discourages freeloaders who just want the free identity protection.
All T-Mobile wants is an email address and a phone number
But on the registration page for T-Mobile's free identity-theft protection (opens in new tab), all you need to provide is an email address or a phone number. We did so, and were told on the following screen that we'd receive an email within a few days containing instructions on how to sign up for the ID-theft protection service.
Everyone who's ever had a postpaid T-Mobile account (one for which you get a monthly bill) should sign up for this protection. So should everyone who thinks they might have applied for a T-Mobile account in the past two decades, whether they ended up with an account or not.
Overall, however, throwing the gates open to all comers may indicate that T-Mobile doesn't know how to reach everyone who was affected.
According to T-Mobile's own figures (opens in new tab), not only did 7.8 million current T-Mobile customers have their names, addresses, dates of birth and Social Security numbers compromised, but so did a bit more than 40 million former customers and people who applied for T-Mobile accounts but never got them.
We're talking about more than one in five American adults possibly being affected by this data breach. It makes sense that T-Mobile might want to cast a wide net.
Current T-Mobile customers with active accounts should be easy for the company to reach, but former customers may have changed their email addresses and phone numbers.
Prospective customers who never opened an account may be even harder to contact, especially if the stolen data goes back to T-Mobile's establishment in 2002.
We figure T-Mobile might want to comb through the stolen data and match those applicants for free identity-theft-protection with the names and phone numbers of those people whose personal data was actually stolen. We'll let you know when we get that email from T-Mobile with identity-theft-protection setup instructions.
Other things you can do to protect yourself
Other aspects of the T-Mobile data-breach-assistance page are pretty good. There are links to pages that let you change your T-Mobile account PIN (opens in new tab), change your T-Mobile account password (opens in new tab) and activate the company's free Account Takeover Protection (opens in new tab) and Scam Shield (opens in new tab) features, as well as to the breach-related McAfee ID Theft Protection.
If you're a current or former T-Mobile customer, you need to change your account PIN and password right away. The company has already reset the PINs for T-Mobile prepaid customers, as their passwords and PINs were definitely stolen, but postpaid customers should do this as well.
And, while this feels like beating a dead horse, consider switching to another carrier. This is at least the fourth, and by some counts the sixth (opens in new tab), major T-Mobile data breach in the past three years. It won't be the last.