T-Mobile customers hit by data breach: What to do right now

The front of a T-Mobile retail store in the Boston area.

(Image credit: m_sovinskii/Shutterstock)

T-Mobile yesterday (March 4) announced that some consumer personal information may have been accessed by criminals, including "customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information."

"Financial information (including credit card information) and Social Security number were [sic] not impacted," the company said in a notice posted on the T-Mobile website, to which affected users were being sent via text messages sent to their T-Mobile phones.

Best phone carriers: The top bang for your wireless buck
How to stop your phone number from being hijacked
Just In: Windows 10 update bug seriously slows start up time: How to fix it now

T-Mobile blamed the data breach on a "sophisticated attack" that targeted its internal email vendor and "led to unauthorized access to certain T-Mobile employee email accounts" that contained the customer data.

No details were given on how many customers may have been affected, or when the intrusion began and ended.

T-Mobile data breach: What to do

"We are not aware of any evidence where the information contained in the affected email accounts has been used to commit fraud or otherwise misused," the company said, adding that "it is always a good idea to review your account information and update the personal identification number (PIN/passcode) on your T-Mobile account."

T-Mobile said that it was "is in the process of notifying customers," and that anyone concerned they may have been impacted either call 611 from a T-Mobile phone or 1-800-937-8997 from any phone.

More: Stay private on the go with the best mobile VPN apps

SIM swappers to blame?

T-Mobile didn't suggest any possible motive for the data breach and possible data theft, but the type of information compromised is what online criminals would use in SIM-swapping attacks.

SIM-swapping is when crooks call customer service, or walk into a carrier's retail store, impersonate a legitimate customer of the carrier and ask for that customer's calling number to be transferred to a new phone or SIM card.

The aim is often to receive two-factor authentication (2FA) codes texted to the victim's phone number, with the ultimate goal of hijacking financial accounts or stealing cryptocurrency. SIM-swapping can also be used to abuse pay-by-phone accounts in some cases.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.