At the end of last week, T-Mobile was investigating reports of a “massive” customer data breach. A hacker claimed to stolen 100 million people’s data from T-Mobile’s servers, which included everything from names and driver licences to addresses and social security numbers.

It’s now confirmed something bad did take place. Their estimate is currently “at least” 47m affected people, with around 7.8 million current postpaid customers impacted. The most pressing issue is that of postpaid account customer’s PINs.

PIN compromise

Roughly 850k active prepaid accounts had account PINS exposed, along with names and phone numbers. These PINs are used to help identify the account owner on customer service phone calls. If a scammer knows your PIN, they can potentially perform a SIM swap attack, giving them control of your mobile number, SMS messages, SMS 2FA… Gaining control of a mobile device isn’t far off having the keys to someone’s digital kingdom.

What to do?

T-Mobile have outlined the situation thus far, along with some pieces of advice for anybody worried by recent events.

The priority has to be the PIN codes. The company recommends ALL postpaid customers change their PIN to a new one, not just the 850k people known to be affected, just in case. This is because they currently have no evidence that postpaid PINs have been taken, but better safe than sorry.

They also recommend postpaid customers sign up to their Account Takeover Protection service to make things even harder for would-be hijackers. We note that T-Mobile also has a biometric verification feature, which can replace the problem of compromised PINs altogether. With a bit of luck, these proactive steps will help ease the concerns of anyone affected by this breach.

Even so, there’s a few more things to be wary of on the horizon.

What’s next?

Any time a breach occurs, a key concern has to be phishing and social engineering. Personal information is a goldmine for people who are up to no good. Customers should brace themselves for criminals taking advantage of the situation with a wave of fresh phish served up…now with more personalisation than ever before.

Anyone affected by a data breach before—and that’s a lot of us—will be familiar with the credit score dance that comes after. T-Mobile is offering “2 years of free identity protection services”, and have not long ago published a dedicated breach page.

From there, people can see an easy-to-digest slice of information which:

  • Explains what happened, details compromised data, and mentions their next steps.
  • Clearly advises what customers can do next, including a variety of security steps and a few more additional resources related to credit score / monitoring / related services.
  • Lists a contact number for support calls, which is something that can easily go missing on a page like this.

All in all, not a great situation for anybody to be in. However, T-Mobile have done a good job of rounding up the details and making it obvious what people should do next. This hasn’t always been the case with major breaches in the past, and one hopes this can continue the next time something bad happens. That one-stop-shop page will almost certainly be updated should fresh information emerge, so T-Mobile customers would be wise to bookmark it for the coming weeks or months.