Cyber Incident Victim: T-Mobile US
Date:
Aug 2017
Location:
United States of America
Summary
A telecommunications provider experienced a breach where hackers exploited a website vulnerability to access customer personal data, including email addresses, account numbers, and unique device identifiers. The attackers aimed to hijack victims' SIM cards, enabling potential takeover of phone numbers and linked accounts, particularly those relying on SMS-based two-factor authentication. The company addressed the flaw after being alerted by a security researcher, though malicious actors had exploited it for months prior. Hundreds of customers were notified that their information was compromised, with the provider offering enhanced security measures such as SIM locks to prevent unauthorized card swaps. The incident drew criticism as initial company statements denied any customer impact despite confirmed breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2017, hackers exploited a vulnerability on a T-Mobile US website to access customer account data, including email addresses, account numbers, and International Mobile Subscriber Identity (IMSI) numbers. The vulnerability, publicly demonstrated in a YouTube tutorial uploaded on August 6, enabled attackers to impersonate customers and initiate SIM card hijacking attempts. This technique aimed to transfer victims' phone numbers to attacker-controlled SIM cards, potentially compromising SMS-based two-factor authentication and other linked accounts. Security researcher Karan Saini reported the flaw to T-Mobile in early October 2017. The company patched the vulnerability on October 10 but initially stated there was "no indication" of broader exploitation or affected customer accounts. Subsequent investigation revealed hackers had actively exploited the flaw to target customers between August and October.
T-Mobile confirmed in late October that "a few hundred customers" were impacted by these attacks, with no exposure of passwords, Social Security numbers, or financial information. The company proactively contacted all identified victims via phone within two weeks of patching the vulnerability, warning them about unauthorized access to their personal data. Affected customers were offered enhanced security measures, including SIM locks requiring additional verification for SIM replacement and optional account-specific phone passwords for customer service interactions. Security experts criticized T-Mobile for failing to detect the attacks earlier, particularly given the public availability of exploit tutorials. The incident highlighted risks associated with SIM-swapping attacks and insufficient safeguards against unauthorized account changes at the time.