27 Oct T-Mobile Alerted ‘A Few Hundred Customers’ Targeted By Hackers
T-Mobile has alerted hundreds of customers who were targeted by cybercriminals trying to hijack their SIM cards.
The company contacted the targeted customers over the last two weeks, after Motherboard revealed that a bug on a T-Mobile website allowed hackers to access customers’ personal data such as email address, account number, and their phone’s IMSI, a standardized unique number that identifies subscribers.
The ultimate goal was to hijack or “swap” the victim’s SIM cards. This gives the criminals a chance to take over their phone number and then move onto targeting other online accounts that might have been linked to the number, such as email and banking accounts, according to a blackhat hacker who is familiar with these attempts and requested to remain anonymous. (To prove he knew about these attempts, the hacker sent me my own account’s data.)
This is a relatively rare, but extremely dangerous kind of scam that can even be used to steal SMS-based two-factor authentication codes, giving cybercriminals the ability to hack into your account if they can also steal your password.
On Monday, a T-Mobile customer support representative called to inform me “of a detected alert” about my personal information. On Wednesday, a company spokesperson confirmed via email that T-Mobile has contacted “a few hundred customers” who were impacted.
“If you were impacted you were called,” the spokesperson told me on the phone.
“We found that there were a few hundred customers targeted,” the spokesperson later said in a statement. “We take our customers’ privacy very seriously and called all of those customers to inform them that some of their personal data appeared to have been accessed by an unknown third party. We also offered to work with them to ensure their account remains secure.”
The spokesperson did not specify exactly how many customers were targeted.
The bug was reported in early October by Karan Saini, a security researcher. As it turns out, however, hackers had known about the vulnerability since at least August 6, when a hacker uploaded a tutorial on YouTube on how to exploit the vulnerability.
Initially, when Motherboard and the researcher reached out, T-Mobile said that there was “no indication that [the bug] was shared more broadly.” On October 11, a T-Mobile spokesperson said that “as of this time we’ve found no evidence of customer accounts affected as a result of this vulnerability.”