T-Mobile customer accounts have been hit by cybercriminals -- but it's not clear how many accounts were compromised, or whether T-Mobile itself has suffered a data breach.
The attacks affected only prepaid customers, who have been notified via SMS text message, T-Mobile said in a notice posted on its website (opens in new tab) yesterday (Nov. 21). The personal data revealed included names, addresses, telephone numbers and the customers' T-Mobile account numbers, rates and plan details. No credit card numbers, passwords or Social Security numbers were compromised.
Nevertheless, T-Mobile says affected users should change their account passwords and PINs by dialing 611 from a T-Mobile number or 1-800-T-MOBILE from any phone. If you've not received an SMS notification but think you might be affected, you can call either of those two numbers or email firstname.lastname@example.org to check.
- More: Stay private on the go with the best mobile VPN apps
So what happened?
T-Mobile hasn't revealed many details about this incident, but the company told Cnet (opens in new tab) that a "very small single digit percentage of customers" were affected, and it told Bleeping Computer (opens in new tab) that the incident was discovered in early November.
Because no user passwords or email addresses appear to have been involved, this doesn't look like a case of credential stuffing.
That's when crooks harvest millions of credentials revealed by past data breaches and use them to try to break into non-breached services, knowing that reused passwords will get them access in many instances. The Disney Plus account hijacks revealed earlier this week were likely the result of credential stuffing.
So it would seem that T-Mobile did suffer some kind of network break-in. We'll have to wait for more information to trickle out before we'll know for certain.
Enough data for SIM swaps?
Normally, the fact that passwords, financial data or Social Security numbers were not affected by a data breach would be good news. Yet the information that was stolen from these T-Mobile customers might still be enough to facilitate a "SIM swap" or "port out" attack.
In other words, a crook could use a legitimate customer's name, address, account number and phone number to trick a T-Mobile customer-service representative into transferring the customer's phone number to the crook.
Because so many online services use SMS text messages and voice calls to confirm a user's identity when a password is lost or changed, SIM swapping has led to many online accounts being hijacked by crooks, often with serious financial losses.
The danger of SIM swaps may be one reason T-Mobile is asking affected customers to change their account passwords. Scarily, though, if your number has already been stolen, then you won't get the SMS alerting you that your account may have been compromised.
T-Mobile and other carriers have various mechanisms in place to make it harder for crooks to pull off SIM swaps in theory, but in practice it's often just a matter of sweet-talking a customer-service rep over the phone.
Perfect opportunity for phishing scams
Unfortunately, the way that T-Mobile is notifying affected customers creates a perfect opportunity for phishing scams.
The company's texted notification, as seen in this image posted to Reddit (opens in new tab), asks users to click on a link for more information. The link goes to the T-Mobile security-notice page we've linked to above.
That's exactly what a scammer trying to steal your account credentials would do as well. The difference would be that the scammer's link would go to a fake T-Mobile page at which the customer would be asked to input his or her account number, password and possible even a credit card.
So if you do get a T-Mobile breach notification, don't click on the link. Instead, manually type "t-mo.co/securityinfo" in a web browser address bar to be taken to the correct page.