67 comments

[ 3.9 ms ] story [ 136 ms ] thread
Meanwhile services everywhere are happy to demand phone numbers, SMS verification to login or create accounts.
Maybe it's time for me to move providers. This is getting ridiculous, and their service in my area isn't that stellar anyways.

It's just a hassle to move so I stay because of inertia (read: laziness).

Your info probably has been leaked already, so it’s out there, won’t matter if it leaks again lol
Maybe it's time to regulate privacy to make the retention of personally-identifying information illegal for companies that have no need to retain it. PII should be considered legally radioactive. There's no excuse for a mere wireless carrier to need your SSN.
Or maybe it's time to do away with SSN as a form of authentication. If there is a single person in the US that hasn't had theirs be stolen by now, I'd be shocked.

I can revoke a cert that has been compromised. I don't understand why we don't have a similar procedure set up for my PII.

T-Mobile does not require any identification to get a prepaid phone line. You can submit whatever name you'd like for the line. There's no SSN requested either.

Any requirements imposed at a local store are specific to your State. If you really want to get one without providing any PII, get the line in a different State.

Not providing information is the first step of limiting the blast radius of data leaks.

This is not just about T-mobile. This problem is systemic.
T-Mobile screams coupon-clipping to me, and that's the entire reason I've avoided it. Sounds stupid, but AT&T has been fine. Worth paying a little more.
And T-mobile is rumored to be taking away the autopay discount that they currently have unless you use a checking account instead of a credit card.

There is no way in hell I’m giving T-mobile my checking account info.

Not a rumor, it is true. (I'm a T-Mobile customer and saw the notification on my account.)
I’ve seen that discussion on Reddit. But I still haven’t gotten a notification.
I didn't get a notification per se. It was when I signed into my account and went to the billing/autopay page that there was a banner at the top.
They have however recently increased customer incentive to be on autopay, by bumping the penalty for late payment from $5 to $7.
They will also give the discount if you use a debit card. I'm pretty sure the reason for this is because FedNow launches this summer (usa is finally getting nationalized instant payments) and the qualifying information is your debit card or checking details.
A debit card is still linked to your checking account. That doesn’t help.
It should still help, in that debit cards can have limits set. But you're right that it's not a full solution.
I just replaced the credit card on my up my account with a Privacy.com virtual debit card with a monthly spending limit for that card equal to my bill. It seems to still be giving me the AutoPay discount but I’ll wait and see when my May bill comes in a few days.
Holy crap: "The incident is the second hack to hit T-Mobile this year. It’s the ninth since 2018, based on reporting by TechCrunch."

Are there companies with a worse track record than this? Seems like they get breached way more than average.

Keep in mind, these are the ones we know about. I would imagine there could be many, many more. I work for a large health care company. We've had several breaches already this year. None have been made public and users were never notified.

Unless the press or some independent researcher like Krebs digs something up, its often times rare a company will make this stuff public.

Go do a year in IR if you want some inside perspective -- and to shave a few years off your existence. Sounds about normal for a large telecommunications firm. These large firms don't have 30+ person IR teams on round the clock shifts distributed worldwide because nothing ever happens. T-Mobile just has some transparency and likely actual monitoring in place to detect these breaches instead of them just floating by until some threat actor sells the data somewhere public.
I use their network via Mint is because they do not require any ID. I buy SIM cards with cash. Breaches like this don't matter for me since they have no personal information.
Does that mean you keep changing your phone number with mew SIM cards? Or can/do you port it each time?
You only need to buy the sim once, but even if you kept buying new sims you can port your number each time.
I only use the SIM card for data. I do not know what phone number is on the SIM and would never use it. Instead I use VOIP for OTA calls and SMS.
My concern would be something more like getting 2FA codes stolen.
Don't they need your address for E911?
Only if you set up wifi calling.
> The information obtained for each customer varied but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines

wow, pretty much everything. great. How have they not learned from the last SEVEN times?! Can they be sued for this? Can they be fined by the government for this?

I just logged in and when I tried going to my profile section I just got a screen that said "Access restricted". Maybe because I'm logging in from my work laptop which I've never done before. I guess this is how they are trying to deal with the issue, preventing access of sensitive info from "suspicious" logins.

You can sue, but you'll need to wait until you suffer damages. And good luck proving that it was in fact THIS breach that caused your identity theft.

The system is broken. There is no accountability whatsoever. You have no power to change any of this. It's all fucked.

This would be a lot less problematic if we in the US wouldn't constantly use an ID as a authentication secret. Usage of social security numbers as a auth secret needs to be treated as a national emergency. Won't happen though because most our Congress people are geriatric and don't understand technology and the industry would push back on any change because it would cost then money.
I used to "half-joke" about wanting everyone's SSN published in one big fat breach. I don't joke about it now. I really do want every single SSN to be published somewhere with the associated identities. It seems like nothing short of that will convince banks and other sensitive institutions to give up on using it as a secret.

Then, once the SSN can't be plausibly relied upon to authenticate people, these industries will have to do the hard work themselves.

> I used to "half-joke" about wanting everyone's SSN published in one big fat breach. I don't joke about it now

The 2017 Equifax breach was 40+% of americans. As far as I can tell, it barely changed anything about using SSNs as username and password for identity and credit. It maybe helped end user fees for credit freezes. Based on the response to that breach, I don't think a full dump would change anything either. I don't know what it was like before this breach, but identity fraud doesn't seem to get any investigation these days --- a year or so, someone rented an Oakland luxury apartment and tried to open two credit cards in my spouse's name and social security number, and Oakland PD didn't follow up at all.

Yeah, but even that breach isn't a public thing. The contents of it, I mean. Like, I can't go to a site somewhere and just look up people's names and find out their socials.

That's what I'm hoping for. A full database dump of everybody's SSN that's made embarrassingly public, so people can see just how useless SSNs are. I could enter "Marvin Garrison, DOB 1974-04-20" and get Marvin's SSN.

A torrent file, made available for even a short period of time, would be preserved forever and put the final nail in the coffin.

I know this sounds like some nerd version of Fight Club, but I stand by it :)

But wouldn't that require a lot more personal information to be in the leak than just Name/SSN? At least DOB, and sometimes more would be required. Therefore that would be a huge and damaging leak that would encompass more than just SSNs. Be careful what you wish for.
Yeah, let's keep it to stuff that's already widely known. First, Last, DOB. That's it.

Sure, there will be duplicates. John Miller, born on 10/10/1963 will happen a dozen times maybe. Will still be effective in destroying the SSN as a magic key.

You don't have to prove damages, just negligence. T-Mobile has a fiduciary duty to protect your private details. The problem is you'll be lumped into to some class action suit and handed a payout for pennies on the dollar while the lawyers laugh all the way to the bank. If individuals started suing it would be an absolute nightmare for T-Mobile. I'd happily pay the 40 dollars for a small claims court fee, but thankfully I'm not a customer of this bozo operation.
I have proof they made an error on my name that they always refused to fix and I receive all kind of scams and attacks with those. Robinhood that has a different one has the exact same problem. But they are almost entirely crypto scams by email.
For some reason it seems only the U.S. division of T-Mobile is getting hacked, while the german one is rarely in the news...
"division" is not the right term for it. They are really different companies, even though the majority owner is the same and they use similar branding. T-Mobile US wasn't created by T-Mobile Germany expanding, but rather through Telekom buying US carriers and rebranding them, and thus they don't share infrastructure or corporate structures.
But its clear the german company? Division? Seems to take security much more seriously
Remember, a fine (typically insufficient) is just a measured cost of doing business.

How many times is it going to take for them to actually take this seriously?

This seems to be happening very often. Boost mobile got (allegedly) ransomwared a few months ago. There customer facing systems were down for more than a week. It’s a mess.
> affected 836 customers

This number seems oddly low. My first instinct is not to trust that this was reported honestly. But if it is accurate, why was it so low? Perhaps there's something else very interesting about this breach they're not disclosing (not that they would provide more than the bare minimum amount of information required anyways).

I read somewhere that new security protocols at T-Mobile stopped it. Accounts can only access a certain amount of data before it's locked out.
The announcement was from the Maine AG. I presume these are all customers in Maine. It’s likely customers in other states were affected as well, but this has not been announced.
The announcement also says only 1 Maine resident was affected.
Oh goodie. I'm still dealing with identity theft from T-Mobile's earlier breach.
> "Hack affecting 836 subscribers lasted for more than a month before it was discovered."

The intrusion lasted that long and only data of 836 subscribers was affected?

That's a weirdly low figure for having over a MONTH of access to their systems. What did they hack, a barely used fax-machine?

Could be just high value celebrity targets to ensure a small surface area with the highest value.
Remember this will happen again and again and again and again and again and again and again and again and again until America actually gets some proper data protection/privacy laws. You should consider all your data insecure and expect it to be breached at some point - as soon as it leaves your device you are no longer in control.

I can't imagine a provider being hacked in the EU 9 times being able to get away with not changing its practices/being fined into oblivion.

No one cares, stock price continues to explode relative to telecom competitors. What incentive does TMobile need to resolve this nonsense?
Pretty much this. I cant seem to find it now but I read a study late last year that data breaches/hacks have almost no impact to the share price, no impact on customer base and consequently no impact to the leadership of a company. Thus, leadership is less likely to invest in security and privacy of their users.
All my data has been leaked so often now by various companies, including my W2 when a past employer got spear phished. Meanwhile I have a really good contract with T-Mobile and been very happy with the service. Both in terms of connectivity and in-store service. While I'm upset about this, I'm not gonna go through the hassle of moving to a different service provider, all of whom have bad reputations anyways.
This is one of my big concerns with T-mobile acquiring Mint (or any other provider). T-mobile has a terrible track record for security, and companies that it acquires will likely inherit some of those vulnerabilities.
I would not be surprised if T-Mobile keeps Mint's systems separate from their current systems. They haven't even figured out how and/or have no interest in being able to handle T-Mobil prepaid and T-Mobile postpaid from the same system, so I doubt that they will be able to fold in an outside system.

Seriously, when I switched from T-Mobile postpaid to T-Mobile prepaid it was like changing carriers. New SIM, different website, mobile app does not work with prepaid accounts [1], different payment methods accepted, and more.

If it weren't for the branding and the prepaid website being a subdomain of t-mobil.com someone looking at both would not guess that they are the same company.

[1] It says "Sorry we're not ready for you. We're working on improving your app experience". It's been that way for many years, and whenever anyone asks about it on the T-Mobile forums someone from T-Mobile says they are working on it.

Hire security consultant.

Make some bare minimum changes due to budget constraints.

Get hacked again.

Make a statement.

Hire security consultant.

....

Lol, maybe the second line should be “Make changes that destroy programmer productivity while doing nothing to address security, and claim that it is a new security policy”. T-mobile didn’t pioneer the concept of using offshore fraudulent contractors and consultants to build your core IT infrastructure, but they certainly perfected it.
T-Mobile must have very good security to be able to detect these breaches. Most companies (and government) have terrible security and just assume everything is fine because they never hear about any problems. Of course, you will never hear about any problems if you have no active detection and investigation capability.
The worst thing about having your SSN leaked in a breach is that you can’t get a long-term credit lock until after you’ve already suffered identity theft.

You need to show evidence you’ve had your identity stolen before you can safely prevent it from happening. The whole industry is exactly backwards.

Conspiracy theory: These hacks are being carried out by Experian to force T-Mobile into buying more credit monitoring for affected customers.
I used to work for T-Mobile. I suspect that they get breached so often due to age of one of their primary billing systems, which is written in PowerBuilder.
I had just started using Mint mobile and then I find out a month later that T-Mobile is acquiring them, now this... there was a reason I never wanted to use T-Mobile. Guess I gotta find another provider... again
Last I heard the DoJ was considering filing suit to stop the acquisition, so maybe you won't have to?