Passwords Part of Data Breach, T-Mobile Admits: What to Do Now

Updated

UPDATED 4:00 p.m. EDT Friday with bad news that T-Mobile user passwords may indeed have been compromised. You should change your T-Mobile password as quickly as possible.

T-Mobile announced that on Thursday, it discovered and shut down a brief security breach.

Credit: Jonathan Weiss / Shutterstock.comCredit: Jonathan Weiss / Shutterstock.comWhile it caught the breach quickly, T-Mobile told Motherboard that hackers were able to grab the data of almost three million people. Personal data including customers' name, billing zip code, phone number, email address, account number and account type were compromised.

Still, it could be worse: T-Mobile claims that none of your financial data, Social Security numbers, or passwords were compromised. T-Mobile is not aware of the identities of the hackers involved, and whether they are government- or criminal-affiliated. The company told Motherboard that the attackers were part of "an international group." 

"We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you," the announcement reads. 

In the announcement late Thursday night, the company claimed it would "shortly" be sending texts to customers who were affected. 

This isn't the first time T-Mobile customers have had to worry about fraud. In February, the company texted warnings to its post-paid customer base about a sudden uptick in port-out frauds (a scam where a criminal impersonates you to port your number to another wireless carrier). This led to multiple customers' bank accounts being compromised and, in some cases, drained.

Anyone whose account was affected by this breach is at greater risk of becoming the victim of a port-out scam.

What to Do Now

If you're among the customers whose personal data were compromised in this breach, even though the carrier claims no passwords were impacted, it's still a good idea to change yours. Once a hacker has your account number, phone number, and email address, it's easier for them to obtain your login information.

And while it's probably not necessary since payment information and social-security numbers weren't taken here, you can also sign up for an identity-monitoring service if you're very worried.

UPDATE: Late Friday, Motherboard report Lorenzo Franceschi-Bicchierai, who broke the original story, tweeted that he had learned that encrypted passwords were indeed compromised in the T-Mobile data breach.

"We obtained a sample of one 'encrypted password' and turns out it may be a Base64 string that decodes to a MD5 hash," Franceschi-Bicchierai posted on Twitter. "In other words, it could potentially be cracked."

Base64 is an easily reversible encryption algorithm, and anyone can decipher a Base64 string using online tools. MD5 is a one-way-hash algorithm that was designed in 1992 to be irreversible, but has since been found to be severely compromised.

If your T-Mobile password was based on a dictionary word and it was part of the data breach -- and you don't know yet if it wasn't -- then you can consider it cracked.

When Franceschi-Bicchierai asked his T-Mobile contact why the company had originally said no passwords were compromised, the spokesperson replied that "they weren't ... they were encrypted."