T-Mobile hit by likely data breach: Here's what to do

(Image credit: T-Mobile/YouTube)

T-Mobile customer accounts have been hit by cybercriminals -- but it's not clear how many accounts were compromised, or whether T-Mobile itself has suffered a data breach.

The attacks affected only prepaid customers, who have been notified via SMS text message, T-Mobile said in a notice posted on its website yesterday (Nov. 21). The personal data revealed included names, addresses, telephone numbers and the customers' T-Mobile account numbers, rates and plan details. No credit card numbers, passwords or Social Security numbers were compromised.

Nevertheless, T-Mobile says affected users should change their account passwords and PINs by dialing 611 from a T-Mobile number or 1-800-T-MOBILE from any phone. If you've not received an SMS notification but think you might be affected, you can call either of those two numbers or email privacy@t-mobile.com to check.

So what happened?

T-Mobile hasn't revealed many details about this incident, but the company told Cnet that a "very small single digit percentage of customers" were affected, and it told Bleeping Computer that the incident was discovered in early November.

Because no user passwords or email addresses appear to have been involved, this doesn't look like a case of credential stuffing. 

That's when crooks harvest millions of credentials revealed by past data breaches and use them to try to break into non-breached services, knowing that reused passwords will get them access in many instances. The Disney Plus account hijacks revealed earlier this week were likely the result of credential stuffing.

So it would seem that T-Mobile did suffer some kind of network break-in. We'll have to wait for more information to trickle out before we'll know for certain.

Enough data for SIM swaps?

Normally, the fact that passwords, financial data or Social Security numbers were not affected by a data breach would be good news. Yet the information that was stolen from these T-Mobile customers might still be enough to facilitate a "SIM swap" or "port out" attack

In other words, a crook could use a legitimate customer's name, address, account number and phone number to trick a T-Mobile customer-service representative into transferring the customer's phone number to the crook. 

Because so many online services use SMS text messages and voice calls to confirm a user's identity when a password is lost or changed, SIM swapping has led to many online accounts being hijacked by crooks, often with serious financial losses.

The danger of SIM swaps may be one reason T-Mobile is asking affected customers to change their account passwords. Scarily, though, if your number has already been stolen, then you won't get the SMS alerting you that your account may have been compromised.

T-Mobile and other carriers have various mechanisms in place to make it harder for crooks to pull off SIM swaps in theory, but in practice it's often just a matter of sweet-talking a customer-service rep over the phone.

Perfect opportunity for phishing scams

Unfortunately, the way that T-Mobile is notifying affected customers creates a perfect opportunity for phishing scams

The company's texted notification, as seen in this image posted to Reddit, asks users to click on a link for more information. The link goes to the T-Mobile security-notice page we've linked to above.

That's exactly what a scammer trying to steal your account credentials would do as well. The difference would be that the scammer's link would go to a fake T-Mobile page at which the customer would be asked to input his or her account number, password and possible even a credit card.

So if you do get a T-Mobile breach notification, don't click on the link. Instead, manually type "t-mo.co/securityinfo" in a web browser address bar to be taken to the correct page.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.