After a Motherboard report this weekend revealed that hackers on a online forum claimed to be selling personal data from T-Mobile customers, the carrier has confirmed the worst: a “highly sophisticated cyberattack” has exposed personal data for some 50 million accounts, including Social Security and driver’s license numbers, as well as account PINs.
The bulk of the compromised accounts aren’t even T-Mobile customers. The carrier says that “just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile” were part of the hack. It doesn’t say how far back the data was stored.
T-Mobile says the leak includes “first and last names, date of birth, SSN, and driver’s license/ID information” for current and former postpay customers as well as prospective T-Mobile customers. The numbers break down like this:
- Just over 40 million records of former or prospective customers
- Approximately 7.8 million current T-Mobile postpaid customer accounts’ information
- Approximately 850,000 active T-Mobile prepaid customers
Additionally, the company says there was “some additional information” from inactive prepaid accounts accessed through prepaid billing files.
T-Mobile says that it hasn’t uncovered evidence of “any customer financial information, credit card information, debit or other payment information.” However, it has reset the PINs on affected accounts “to help protect these customers” and recommends all T-Mobile postpaid customers reset their PINs as a precaution. It says there weren’t any Metro by T-Mobile, former Sprint prepaid, or Boost customers who had their names or PINs exposed but those customers might want to change their PIN as well.
In response, the carrier is offering two years of free identity protection services with McAfee’s ID Theft Protection Service as well as Account Takeover Protection capabilities for postpaid customers. It will be contacting the affected individuals with more information.
T-Mobile is still investigating the attack. The original report claimed hackers had stolen data related to more than 100 million customers with “full customer info,” though financial information doesn’t appear to have been part of the breach.