T-Mobile yesterday (March 4) announced that some consumer personal information may have been accessed by criminals, including "customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information."
"Financial information (including credit card information) and Social Security number were [sic] not impacted," the company said in a notice posted on the T-Mobile website, to which affected users were being sent via text messages sent to their T-Mobile phones.
- Best phone carriers: The top bang for your wireless buck
- How to stop your phone number from being hijacked
- Just In: Windows 10 update bug seriously slows start up time: How to fix it now
T-Mobile blamed the data breach on a "sophisticated attack" that targeted its internal email vendor and "led to unauthorized access to certain T-Mobile employee email accounts" that contained the customer data.
No details were given on how many customers may have been affected, or when the intrusion began and ended.
T-Mobile data breach: What to do
"We are not aware of any evidence where the information contained in the affected email accounts has been used to commit fraud or otherwise misused," the company said, adding that "it is always a good idea to review your account information and update the personal identification number (PIN/passcode) on your T-Mobile account."
T-Mobile said that it was "is in the process of notifying customers," and that anyone concerned they may have been impacted either call 611 from a T-Mobile phone or 1-800-937-8997 from any phone.
SIM swappers to blame?
T-Mobile didn't suggest any possible motive for the data breach and possible data theft, but the type of information compromised is what online criminals would use in SIM-swapping attacks.
SIM-swapping is when crooks call customer service, or walk into a carrier's retail store, impersonate a legitimate customer of the carrier and ask for that customer's calling number to be transferred to a new phone or SIM card.
The aim is often to receive two-factor authentication (2FA) codes texted to the victim's phone number, with the ultimate goal of hijacking financial accounts or stealing cryptocurrency. SIM-swapping can also be used to abuse pay-by-phone accounts in some cases.