A threat player is selling what they claim to be 30m T-Mobile customers’ US Social Security & driver license numbers on an underground web forum. The collection is a subgroup of the purported 100m records contained in stolen databases.
The seller claims to have attacked US infrastructure out of retaliation. The offer: 30m records for ~1 penny each, with the rest being sold privately.
The seller told Motherboard – which 1st reported the news – that for now, they’re privately selling the rest.
The seller also told Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, that this blow to US infrastructure was done in retaliation, as Gal tweeted on Sun.: “This breach was done to retaliate against the US for the kidnapping & torture of John Erin Binns (CIA Raven-1) in Germany by CIA & Turkish intelligence agents in 2019,” the threat actor told Gal. “We did it to harm US infrastructure.”
Binns is a US citizen who lives in Turkey & who sued the FBI, CIA & US Department of Justice in 2020, alleging that he was tortured & harassed by the US & Turkish governments & is seeking to compel the USA to release documents regarding these activities under the US Freedom of Information Act.
The seller’s offer doesn’t mention T-Mobile, but the seller told Motherboard & Bleeping Computer that the source is in fact the company’s servers. They claim to have penetrated T-Mobile’s production, staging, & development servers 2 weeks ago, including an Oracle database server that held the customer data, according to what they told Bleeping Computer.
As proof of the theft, the threat player shared with Bleeping Computer a screenshot of an SSH connection to a production server running Oracle.
T-Mobile told news outlets that it’s investigating the alleged data breach, which 1st came to light on an underground forum over the weekend. Its statement: “We are aware of claims made in an underground forum & have been actively investigating their validity. We do not have any additional information to share at this time.”
Even if T-Mobile hasn’t yet confirmed the breach, T-Mobile customers would be wise to change their security PINs, given that laundry list of details that were purportedly exposed. The seller told Bleeping Computer that the records contain:
- Social Security numbers
- Phone numbers
- Security PINs
- Physical addresses
- Unique IMEI numbers
- IMSI numbers
- Driver license numbers
- Dates of birth
The attacker told Bleeping Computer that T-Mobile’s “entire IMEI history database going back to 2004 was stolen.
” IMEI (International Mobile Equipment Identity) is a unique 15-digit code that precisely identifies a mobile device with the SIM card input, and an IMSI (International mobile subscriber identity) is a unique number that identifies every user of a cellular network.
Fresh Baked, & Such a Bargain
The asking price for the 30m records is 6 bitcoin, which was worth about $280k as of Mon. morning East Coast time.
Bleeping Computer posted a screenshot of the forum post, which claimed that the records are “Freshly dumped & NEVER sold before!” It added that “SERIOUS BUYERS ONLY!” should inquire.
Motherboard’s Joseph Cox has seen samples of the data & confirmed that it’s accurate information belonging to T-Mobile customers. In short, the records contain “Full customer info” for T-Mobile USA customers, the threat actor told Motherboard in an online chat.
T-Mobile has apparently responded by turning off the tap: The seller told Motherboard that they’ve “lost access to the backdoored servers.”
The supposed thief commented: They already made backups “in multiple places.”
Cybersecurity intelligence firm Cyble told Bleeping Computer that the threat player claims that they obtained several databases, totalling approximately 106Gb of data, including T-Mobile’s customer relationship management (CRM) database.
A Penny Per Person
The asking price is really cheap, one expert explained: It comes out to about a penny per purported victim. That’s quite a bargain for cybercrooks, given that the records are rich in data that can be used to conduct ” targeted mobile attacks, social engineering, sophisticated phishing campaigns or financial fraud.”
Ilia Kolochenko, founder of the Swiss app sec firm Immuni Web & a member of the Europol Data Protection Experts Network, outlined that what’s even worse is that the records reportedly contain data from 2004 to 2021 & “can cause extreme invasion of privacy or be used for blackmailing of wealthy victims.
“Given that the offer seems to be new & unique, the price is very cheap: just 1 US cent per victim. The records, which allegedly contain such extremely sensitive data as social security numbers & full histories of mobile phone usage, can be exploited to conduct targeted mobile attacks, social engineering, sophisticated phishing campaigns or financial fraud,” Kolochenko observed via email.
Kolochenko thinks it’s “pretty likely” that 1 of T-Mobile’s suppliers could have unwittingly facilitated or caused the data breach, “Based on the available technical information.”
“If so, it will be another grim reminder about the importance of 3rd-Party Risk Management (TPRM) programs & risk-based vendor vetting,” he noted.
T-Mobile could be in for severe legal issues if the breach is confirmed, Kolochenko predicted. “T-Mobile may face an avalanche of individual & class action lawsuits from the victims, as well as protracted investigations and serious monetary penalties from the states where the victims are based.
Nevertheless, it’s too early to comment, Kolochenko advised: “It would be premature to make conclusions before T-Mobile makes an official statement on the quantity & nature of the stolen data. The potential victims should refrain from panic & contact T-Mobile asking what type of intermediary support & compensation may be provided while the investigation is in progress.
Some remediate actions, such as changing your driving license, may be time-consuming & costly, & I’d not precipitate here unless T-Mobile undertakes to cover the costs or confirm that the information was actually stolen.”
One of the 2021’s Biggest Breaches
If T-Mobile was in fact breached, & if 100m customers’ data was in fact involved, it won’t be the biggest breach so far this year. It’s outdone by the LinkedIn breach in June, in which 700m users’ data was posted for sale on the ‘underground.’
Jack Chapman, VP of Threat Intelligence at Egress, outlined that the threat to T-Mobile is high. “The data leaked in this breach is reported as being already accessible to cyber-criminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims,” Chapman explained in an email.
He advised affected customers to be wary of “any unexpected communications they might now receive, whether that’s over email, text messages or phone calls. Follow-up attacks may utilise the information accessed through this data breach to trick people into sharing more personal data that can be used for identity & financial fraud.”
Chapman added that the incident “highlights the need for organisations such as T-Mobile to put in place the right technology to secure their sensitive data & defend their employees & their company from targeted attacks by cyber-criminals. I
t’s time for organisations to take responsibility & ensure they’re keeping their customers’ data out of the hands of cyber-criminals.”