T-Mobile is investigating a data breach that they estimate impacts 7.8 million postpaid customers, 850,000 prepaid customers and “just over” 40 million past or prospective customers. Hackers claim that the number of impacted individuals is 100 million. T-Mobile has stated that they are confident that the attack entry point has been closed and they will continue with their technical review. Sprint and other telecoms owned by T-Mobile are reportedly unaffected.
Hackers also claim one of the T-Mobile databases they accessed holds the names, addresses, birth dates, SSNs, driver’s license numbers, phone numbers and security PINs for 36 million T-Mobile customers, dating back to the 1990s; however, databases of prepaid customers reportedly contained far less information. Hackers allege to have accessed a database which includes customer credit card numbers, with 6 of the card digits obfuscated.
Account PIN’s belonging to 850,000 prepaid customers were reportedly compromised and reset by T-Mobile. Although there is currently no evidence of postpaid customer PIN compromise, T-Mobile is recommending that these customers change their PINs. T-Mobile has stated that they will offer free credit monitoring to impacted customers for a period of 2 years.