T-Mobile went through a second significant data breach in late January, but we are only just now starting to get details from the breach and how criminals used the stolen data from external cybersecurity experts. New examination of the breach and hacker communications shows criminals were exploiting the vulnerability most of last year to attack individual T-Mobile customers. Hackers used access to T-Mobile employee login credentials to conduct SIM swapping events on encrypted chat forums and target individual users on their mobile network for a low fee.
SIM swapping is a practice used by criminals to gain access to a targeted mobile phone. Hackers can either convince mobile phone carriers to change mobile service to a targeted mobile phone or, in this case, use employee credentials to move the number themselves. SIM swappers then act quickly to use the number to infiltrate sensitive accounts using two-factor authentication.
Three hacker groups claimed they were using T-Mobile employee credentials to enable SIM swaps and attack its customers. Records from encrypted chat logs show criminals offering SIM swapping events from $1000-$1500 per customer for most of 2022. The events started to subside in November and December as T-Mobile gained better control of the issue. This problem also appears to be unique to T-Mobile and does not affect the other two large mobile carriers as often or as easily.
The data breach T-Mobile admitted to in January of 37 million current customers allowed criminals to target high-profile individuals and pay to have their phone number swapped to a different device for 15 minutes to a couple of days. During that time, criminals use other compromised credentials to log into bank accounts or other personal accounts and steal more information or money with two-factor authentication.
The hackers mostly used voice phishing, meaning they would call T-Mobile employees on the phone, impersonate internal IT employees, and ask the T-Mobile employee to log into a fake security tool to steal the employee credentials. The bigger story of the breach is T-Mobile’s employee access and the lack of a concrete second-factor authenticator like a physical security key.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.
