Cyber Incident Victim: T-Mobile US

On or around April 2022, T-Mobile confirmed that the Lapsus$ cybercrime group breached its internal systems using stolen credentials. The intrusion occurred several weeks prior to the April 22 disclosure and was detected by the company’s monitoring tools. According to T-Mobile, the attackers accessed systems housing operational tools software but did not compromise customer data, government information, or other sensitive materials. The company terminated the threat actors’ network access and invalidated the compromised credentials upon discovery. T-Mobile stated its security systems functioned as intended, with the intrusion rapidly contained and closed. Independent journalist Brian Krebs reported the breach after analyzing leaked Telegram communications between Lapsus$ members, which indicated the theft of proprietary T-Mobile source code during the incident. The company maintained it found no evidence the attackers extracted valuable information.

This incident marked at least the seventh cybersecurity breach disclosed by T-Mobile since 2018. Historical incidents included a 2019 exposure of prepaid customer data, unauthorized access to employee email accounts in March 2020, and a December 2020 breach involving customer proprietary network information such as phone numbers and call records. In February 2021, attackers accessed an internal T-Mobile application without authorization. The August 2021 breach affected approximately 3% of customers, prompting the New York State Attorney General’s Office to warn victims about heightened identity theft risks in March 2022. Concurrently, the New Jersey Cybersecurity & Communications Integration Cell alerted customers about SMS phishing campaigns potentially leveraging stolen T-Mobile data. The Lapsus$ breach differed from prior incidents in its operational focus, targeting internal tools rather than customer information repositories.