Cyber Incident Victim: T-Mobile US
Date:
Aug 2018
Location:
United States of America
Summary
Hackers accessed personal data of approximately 2 million T-Mobile customers, including names, billing zip codes, phone numbers, email addresses, account numbers, and types. While financial data and Social Security numbers were not exposed, encrypted passwords were compromised—contrary to initial company statements—with security researchers suggesting weak hashing algorithms like MD5 may have been used, potentially enabling brute-force attacks. The breach was detected and terminated promptly, with authorities notified. This incident followed multiple prior security vulnerabilities, including unauthorized data access via phone numbers and critical website flaws, though earlier breaches involved larger datasets including Social Security numbers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 20, 2018, T-Mobile's cybersecurity team detected and terminated unauthorized access to customer data, subsequently reporting the incident to authorities. The company publicly disclosed the breach on August 23, revealing that attackers exfiltrated personal information from approximately 2 million customers, representing roughly 3% of its 77 million subscriber base. Compromised data fields included customer names, billing zip codes, phone numbers, email addresses, account numbers, and service types (prepaid or postpaid). T-Mobile confirmed that financial information such as credit card details and sensitive identifiers like Social Security numbers remained unaffected. Initial company statements asserted that "no passwords were compromised," though this claim would later be revised following external analysis. The intrusion occurred during a brief period before being discovered and shut down, with no indication of ongoing unauthorized access beyond the initial detection date.
Subsequent investigations revealed contradictions in T-Mobile's password disclosure. Security researcher Nicholas Ceraolo obtained a sample dataset containing a "userpassword" field with cryptographic hashes, which independent analysis by password expert Jeremi M. Gosney suggested might use the vulnerable MD5 algorithm. This finding contradicted T-Mobile's original announcement, prompting the company to clarify that while encrypted passwords were exposed, they considered them uncompromised due to the encryption. The company declined to specify its hashing methodology. Gosney warned that the encryption could potentially be reverse-engineered with sufficient sample data, advising affected customers to assume password vulnerability and initiate changes. CEO John Legere publicly recommended regular password updates, though without directly acknowledging the cryptographic concerns. This incident marked the latest in a series of T-Mobile security lapses, following a 2015 breach exposing 15 million customers' Social Security numbers, a 2017 API vulnerability enabling SIM-swapping attacks, and a critical account hijacking flaw discovered (and patched) earlier in 2018.