Cyber Incident Victim: T-Mobile US
Date:
Feb 2023
Location:
United States of America
Summary
T-Mobile experienced a second data breach within months, where attackers exploited compromised credentials to access approximately 836 customer accounts over more than a month. The incident exposed sensitive personal information including names, contact details, account numbers, PINs, Social Security numbers, government IDs, dates of birth, and internal service codes, heightening risks of identity theft and phishing. Financial data and call records were not compromised. The carrier proactively reset account PINs and offered affected customers two years of credit monitoring. This followed a separate, larger breach affecting 37 million individuals earlier in the year via an API vulnerability, underscoring recurring security challenges for the company.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
T-Mobile identified unauthorized access to its systems impacting 836 customer accounts between late February and March 2023, as detailed in breach notifications issued on April 28, 2023. The company’s monitoring tools triggered alerts in March 2023, enabling investigation that confirmed threat actors had exploited compromised credentials to infiltrate accounts. Exposed personal information varied by customer but encompassed full names, contact details, account numbers, associated phone numbers, T-Mobile account PINs, Social Security numbers, government-issued identification, dates of birth, outstanding balances, internal service codes (including rate plans and feature designations), and line counts. Attackers accessed no financial account details or call records during the intrusion window exceeding one month. T-Mobile responded by immediately resetting account PINs for affected individuals to block continued unauthorized access and arranged two years of complimentary credit monitoring and identity theft protection via Transunion’s myTrueIdentity service. This incident represented heightened risk for targeted phishing and identity fraud due to the sensitivity of exposed identifiers.
This breach marked the second cybersecurity event disclosed by T-Mobile in 2023, following a January attack affecting 37 million customers via API exploitation in November 2022. The January breach involved extraction of basic customer data including names, billing addresses, email addresses, phone numbers, birthdates, account numbers, line counts, and plan features. Unlike the February intrusion, which leveraged credential compromise over an extended period, the January event was contained within 24 hours of detection on January 5. T-Mobile referenced its historical breach pattern by listing seven prior incidents since 2018 affecting prepaid customers, employee records, network information, and testing environments through varied attack vectors like credential theft and brute-force attacks. Post-incident statements confirmed ongoing internal investigations into the February breach’s root causes but withheld specifics regarding credential acquisition methods or whether employee accounts facilitated access.