42 comments

[ 5.0 ms ] story [ 89.6 ms ] thread
The messages reveal that each time LAPSUS$ was cut off from a T-Mobile employee’s account — either because the employee tried to log in or change their password — they would just find or buy another set of T-Mobile VPN credentials. T-Mobile currently has approximately 75,000 employees worldwide.

As a T-Mobile customer, this does not inspire confidence...

Been happening at t-mobile since like 2004

> Hollywood’s hacker war began on February 19, 2004 with a simple phone call. It happened at a T-Mobile store near Los Angeles. The caller told the salesperson he was from the T-Mobile headquarters in Washington. “We heard you’ve been having problems with your customer account tools?” The caller said. “No, we haven’t had any problems really,” the clerk replied, “just a couple slowdowns. That’s about it.”

> “Yes, that’s what is described here in the report,” the caller replied. “We’re going to have to look into this for a quick second.”

> “All right, what do you need?” Then he dutifully gave the caller the company’s internal web site for managing customer accounts —

https://www.wired.com/2015/11/the-hacking-of-hollywood/

tmobile is terrible and I loathe them but are the alternatives better?

is twilio viable for personal cell use?

(comment deleted)
I will say that, as someone who knew the above mentioned hacker when I was underage, ATT and Verizon methodically train their employees on pretexting and other social engineering attacks. While they may have their flaws, they both have a culture of security and privacy that is completely different from TMOB.
There was a Darknet Diaries episode recently[0] that focused on a guy who frequently did phone scams, and he said Verizon was the most expensive to hack because you had to basically pay a bribe to get into their systems.

[0] https://darknetdiaries.com/episode/112/

(comment deleted)
ffs, stop using cell phones. this goes double for smart phones.
Your landline provider also has fallible CSRs.

Webmail providers don't even have service, which can be a curse as much as it is a blessing

Anyone can commit megafraud against you by filing a USPS change of address form on your behalf to intercept all your paper correspondence, not to mention the rampant straight up package theft the past few years.

We need a more comprehensive plan than just 'dont use phones'. As long as correspondence has value, someone is going to try and steal it.

My who? I don't have a land line.
That’s not a real solution.
It is, in the most literal sense.
(comment deleted)
Twilio's "Programmable Wireless" product does not allow phone calls, and actually uses T-Mobile in the US.

So no, it's not viable at all.

Wait, but doesn't this jeopardize the people who sold the VPNs to them? I mean, it should be pretty straightforward for T-Mobile to know which specific account was used to access unauthorized data? Maybe I am misinterpreting it.[0]

[0]: I am assuming that each VPN has a unique identifier.

It’s possible, but I doubt they willingly sold their credentials. It’s more likely that they were scraped by some other means and sold.
You'd be surprised how little is recorded for most transactions. While it's possible to retain a full audit trail for data access, most systems don't. Answering questions like "who looked at this database" is impossible in just about every system I've ever worked with. Some of the more sensitive financial or personal data systems might retain records of who changed a value, but even that is rare and in most cases easily faked or hidden.
In healthcare in my part of Europe, it is a requirement to log every access to patient journals.

And if a nurse, doctor or similar access a journal they most likely have no reason to, it can get flagged for investigation.

What they did there feels like trying to replay Kevin Mitnick in the current times
It's interesting to read the language, the attitude, and the general tone of the conversations in those threads. Nothing has changed.

I did some things when I was their age that would get me time breaking rocks today. It seems like nothing in the hacking culture has changed. The only different things are that we were moving in slow motion because of the speed of our connections.

We even used to store our loot in "the cloud," too. Usually the mainframe accounts of college philosophy and literature professors who never logged in and so never used their disk quotas.

Perfect example of why perimeter based security doesn’t work.

ABAC + Zero Trust.

If your devs/admins are keen on selling access to your network, ZeroTrust won't save you.
If 15-21yo skiddies can buy their way in and carry out acts like these via Discord and Telegram, imagine what the real state-sponsored threat actors are doing that we never even hear about.

These guys have got to just be clowns, media fodder, right? State actors aren't using Discord and storing their loot on AWS.

If 15-21yo skiddies can buy their way in

I think it's interesting that they're buying their way in. Do those accounts not sell for very much?

Also, now that I know they just buy stolen credentials, and don't even have the talent to actually hack their way into the systems, I'm underwhelmed by their achievements.

keep in mind that the lapsus guys aren't your average schoolkids

they have collected about $14 million dollars in crypto from various cyber-crime activities and ventures

they were offering up to $20k for intel/credentials publicly on their Telegram

source: https://www.bbc.com/news/technology-60864283

> Also, now that I know they just buy stolen credentials, and don't even have the talent to actually hack their way into the systems, I'm underwhelmed by their achievements.

It seems to be a common sentiment on hacker news, that they're script kiddies and what they did "doesn't count" as real hacking. But doesn't that just makes things worse? It means anybody can break into anything, given basic social and computing skills. There is clearly a very big complacency problem in our industry and maybe we should do something about it.

Maybe not on discord, but here's 100GB of stuff someone found on AWS that NSA left public...discovered in 2017 but created in 2013.

> 29 Nov 2017

> The NSA has been hit by yet another data leak, as over 100GB of sensitive, classified data was exposed through shoddy security practises.

> The leak came from a virtual copy of a hard drive belonging to US Intelligence and Security Command (INSCOM), an intelligence organisation operating within both the US Army and the NSA.

> The virtual disk image was discovered by UpGuard cyber risk research director Chris Vickery on an unprotected public Amazon S3 server, meaning that anyone who knew the web address where the data was stored could freely access it.

https://www.itpro.com/security/30060/100gb-of-secret-nsa-dat...

I gotta say, while there is probably some illicit value to be had in T-Mobile data, their source code probably has negative value. Everything is garbage.
Which would it even more scary since it can be used to find endless new attacks on T.
T-Mobile has more than 30,000 Gitlab repos? That's mind-boggling. What a mess.
30,000 repos for 75,000 employees. How many of those employees are engineers?
I have to say that T-Mobile is something special:

2020 - More than 50 million people now affected[1]

2021 - T-Mobile Hacked for 5th Time in 4 Years in Latest Breach[2]

2021 - T-Mobile suffers another, smaller data breach[3]

2022 - This story

While clearly T-Mobile does not care enough about information security to do something significant, its also pretty clear that stock market, customers and regulators also do not care about such gross negligence.

[1]https://www.cnet.com/news/privacy/t-mobile-data-breach-more-...

[2]https://www.newsweek.com/t-mobile-hacked-5th-time-4-years-la...

[3]https://www.cnet.com/tech/mobile/t-mobile-reportedly-suffers...

I would 100% disagree. If these young teenagers can do it, it's clear that basically anyone willing, can break into basically any company they want, whenever they want.

TMUS is not remotely special other than, it's apparently a little easier than T or VZ, but again it's not like we should consider those "safe" by any means.

> its also pretty clear that stock market, customers and regulators also do not care about such gross negligence.

Because everyone else is equally negligent. The NSA cares at least a token amount, but clearly they can't even keep their stuff safe, let alone the rest of us.

Banks are "safe" not because they have good IT security, but because they have centuries of log auditing practice and can mostly undo transactions whenever they want.

So thankful that the government has invested all of our money into manufacturing things that blow up and domestic spying programs
the attack actually seems to be very simple, once you obtained the credentials

luckily, you can just skip the part and buy VPN credentials and session cookies on the dark markets

it's so easy, it's almost cheating

yeah, it's less an attack and more like finding a copy of the key to the front door laying on the ground and walking out with everything you can carry, completely unopposed.
Any theories on why they were so interested in Brazilian fleet management software? I’m guessing the only real value would be extortion but it seemed very specific.

Also it’s always amusing to hear about hackers who partake in the incident response meetings for their own hacks. Not the first time I’ve read that.

"...larger companies probably should be paying someone to regularly scrape these criminal bot services, even buying back their own employee credentials to take those vulnerable systems off the market. Because that’s probably the simplest and cheapest incident response money can buy."

Krebs makes a very good point in the last paragraph. Way way way cheaper than paying ransoms.

T-Mobile stated that they don't believe that any sensitive data was stolen. The moment your source code leaks and it has secrets in it, this is a game over!

The problem is not only with the fact that secrets need to be rotated, but the operational impact it can cause if not rotated in all places. Add the time aspect to it and you have a goodie bag.