T-Mobile, one of the biggest telecommunications companies in the US, was hacked nearly two weeks ago, exposing the sensitive information of more than 50 million current, former and prospective customers.
Names, addresses, social security numbers, driver’s licenses and ID information for about 48 million people were accessed in the hack, which initially came to light on August 16.
Here’s everything we know so far:
How many people are affected by the hack?
T-Mobile released a statement last week confirming that the names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach.
Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked.
More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed.
T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed.
The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile.
Who attacked T-Mobile?
A 21-year-old US citizen by the name of John Binns told The Wall Street Journal and Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, that he is the main culprit behind the attack.
His father, who died when he was two, was American and his mother is Turkish. He and his mother moved back to Turkey when Binns was 18.
How did the attack happen?
Binns, who was born in the US but now lives in Izmir, Turkey, said he conducted the attack from his home. Through Telegram, Binns provided evidence to the Wall Street Journal proving he was behind the T-Mobile attack and told reporters that he originally gained access to T-Mobile’s network through an unprotected router in July.
According to the Wall Street Journal, he had been searching for gaps in T-Mobile’s defenses through its internet addresses and gained access to a data center near East Wenatchee, Washington where he could explore more than 100 of the company’s servers. From there, it took about one week to gain access to the servers that contained the personal data of millions. By August 4 he had stolen millions of files.
“I was panicking because I had access to something big. Their security is awful,” Binns told the Wall Street Journal. “Generating noise was one goal.”
Binns also spoke with Motherboard and Bleeping Computer to explain some dynamics of the attack.
He told Bleeping Computer that he gained access to T-Mobile’s systems through “production, staging, and development servers two weeks ago.” He hacked into an Oracle database server that had customer data inside.
To prove it was real, Binns shared a screenshot of his SSH connection to a production server running Oracle with reporters from Bleeping Computer. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.
In his interview with Motherboard, he said he had stolen the data from T-Mobile servers and that T-Mobile managed to eventually kick him out of the breached servers, but not before copies of the data had already been made.
On an underground forum, Binns and others were found selling a sample of the data with 30 million social security numbers and driver licenses for 6 Bitcoin, according to Motherboard and Bleeping Computer.
T-Mobile CEO Mike Sievert explained that the hacker behind the attack “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”
“In short, this individual’s intent was to break in and steal data, and they succeeded,” Sievert said.
Binns claimed he stole 106GB of data but it is unclear whether that is true.
Why did Binns do it?
The 21-year-old Virginia native told the Wall Street Journal and other outlets that he has been targeted by US law enforcement agencies for his alleged involvement in the Satori botnet conspiracy.
He claims US agencies abducted him in Germany and Turkey and tortured him. Binns filed a lawsuit in a district court against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes and for allegedly being part of the Islamic State militant group, a charge he denies.
“I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he explained in his messages to the Wall Street Journal.
The lawsuit includes a variety of claims by Binns that the CIA broke into his homes and wiretapped his computers as part of a larger investigation into his alleged cybercrimes. He filed the suit in a Washington DC District Court.
Before he was officially identified, Binns sent Gal a message that was shared on Twitter.
“The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure,” the message said, according to Gal.
Was Binns alone in conducting the attack?
He would not confirm if the data he stole has already been sold or if someone else paid him to hack into T-Mobile in his interview with The Wall Street Journal.
While Binns did not explicitly say he worked with others on the attack, he did admit that he needed help in acquiring login credentials for databases inside T-Mobile’s systems.
Some news outlets have reported that Binns was not the only person selling the stolen T-Mobile data.
When did T-Mobile discover the attack?
The Wall Street Journal story noted that T-Mobile was initially notified of the breach by a cybersecurity company called Unit221B LLC, which said their customer data was being marketed on the dark web.
T-Mobile told ZDNet on August 16 that it was investigating the initial claims that customer data was being sold on the dark web and eventually released a lengthy statement explaining that while the hack did not involve all 100 million of their customers, at least half had their information involved in the hack.
Is law enforcement involved?
T-Mobile CEO Mike Sievert said on August 27 that he could not share more information about the technical details of the attack because they are “actively coordinating with law enforcement on a criminal investigation.”
It is unclear what agencies are working on the case and T-Mobile did not respond to questions about this.
What is T-Mobile doing about the hack?
Sievert explained that the company hired Mandiant to conduct an investigation into the incident.
“As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised,” he said in a statement
T-Mobile will also put a banner on the MyT-Mobile.com account login page of others letting them know if they were not affected by the attack.
Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen.
In addition to offering just two years of free identity protection services with McAfee’s ID Theft Protection Service, T-Mobile said it was recommending customers sign up for “T-Mobile’s free scam-blocking protection through Scam Shield.”
The company will also be offering “Account Takeover Protection” to postpaid customers, which they said will make it more difficult for customer accounts to be fraudulently ported out and stolen. They urged customers to reset all passwords and PIN numbers as well.
Sievert also announced that T-Mobile had signed “long-term partnerships” with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the “firepower” needed to improve their ability to protect customers from cybercriminals.
“As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats,” Sievert added.
“They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement.”
Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future.
Has this happened to T-Mobile before?
No attack of this size has hit T-Mobile before, but the company has been attacked multiple times.
Before the attack two weeks ago, the company had announced four data breaches in the last three years. The company disclosed a breach in January after incidents in August 2018, November 2019, and March 2020.
The investigation into the January incident found that hackers accessed around 200,000 customer details such as phone numbers, the number of lines subscribed to an account, and, in some cases, call-related information, which T-Mobile said it collected as part of the normal operation of its wireless service.
The previous breaches included a March 2020 incident where T-Mobile said hackers gained access to both its employees’ and customers’ data, including employee email accounts, a November 2019 incident where T-Mobile said it “discovered and shut down” unauthorized access to the personal data of its customers, and an August 2018 incident where T-Mobile said hackers gained access to the personal details of 2 million of its customers.
Before it merged with T-Mobile in 2020, Sprint also disclosed two security breaches in 2019 as well, one in May and a second in July.
What happens now?
Binns has not said if he has sold the data he stole, but he told Bleeping Computer that there were already multiple prospective buyers.