T-Mobile suffers its second data breach of 2023, affecting 836 customers. Find out what information was exposed and the measures taken to mitigate

Continue reading
On April 28, 2023, T-Mobile disclosed its second data breach of the year, which affected 836 customers. Attackers had unauthorized access to customers' personal information for more than a month, beginning in late February. The breach was discovered in March 2023. T-Mobile has taken proactive measures, including resetting account PINs and offering two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity.
While the number of affected individuals is significantly lower than previous breaches, the amount of exposed information is extensive and puts them at risk of identity theft and phishing attacks.
The exposed information varied for each affected customer but could include their full name, contact information, account number, and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts, and the number of lines. The threat actors did not gain access to call records or personal financial account information, but the exposed personally identifiable information is enough for identity theft.
T-Mobile reset account PINs for impacted customers and offers them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity. The mobile carrier has disclosed seven other data breaches since 2018, including one that exposed the information of roughly 3% of all T-Mobile customers. The company has faced criticism for its security measures and handling of previous incidents, leading to questions about whether it is doing enough to protect customer data.
The previous data breach disclosed by T-Mobile in 2023 occurred on January 19, after attackers stole the personal information of 37 million customers by exploiting a vulnerable API in November 2022. The company discovered the threat actors' malicious activity on January 5 and cut off their access to its systems within 24 hours. The stolen data included basic customer information such as name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.
In 2019, T-Mobile exposed the account information of an undisclosed number of prepaid customers. In March 2020, T-Mobile employees were affected by a data breach exposing their personal and financial information. In December 2020, threat actors accessed customer proprietary network information (phone numbers, call records). In February 2021, an internal T-Mobile application was accessed by unknown attackers without authorization. In August 2022, hackers brute-forced through the carrier's network following a breach of a T-Mobile testing environment. In April 2022, the Lapsus$ extortion gang breached T-Mobile's network using stolen credentials.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been