T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more

  News
image_pdfimage_print
A bird sits on top of a T-Mobile sign outside a mobile phone store,

T-Mobile on Monday said it experienced a hack that exposed account PINs and other customer data in the company’s second network intrusion this year and the ninth since 2018.

The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to a notification on the website of Maine Attorney General Aaron Frey.

“The information obtained for each customer varied but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines,” the company wrote in a letter sent to affected customers. Account PINs, which customers use to swap out SIM cards and authorize other important changes to their accounts, were reset once T-Mobile discovered the breach on March 27.

The incident is the second hack to hit T-Mobile this year. It’s the ninth since 2018, based on reporting by TechCrunch. In January, T-Mobile said “bad actors” abused its application programming in a way that allowed them to access the data of 37 million customers. The hack started on November 25, 2022, and wasn’t discovered by T-Mobile until January 5, TechCrunch said. Data obtained in that incident included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information such as the number of lines on accounts and plan features.

From 2018 through 2022, T-Mobile disclosed seven more hacks. In the most recent of those, reported in April 2022, a hacker gang that goes by the name of Lapsus$ got access to the company’s internal tools and, from there, carried out so-called SIM swaps, a type of hack that allows unauthorized people to port someone’s phone number to the phone of the threat actor.

Other data breaches include one in 2021 that exposed data belonging to 49 million customers. https://arstechnica.com/?p=1935885