Data about customers of T-Mobile USA has been compromised by hackers, according to a customer announcement they shared last week. T-Mobile was keen to emphasize that no financial data was stolen and no passwords were compromised. However, the hackers did grab the following data about some customers: name, billing zip code, phone number, email address, account number, and whether the customer had a prepaid or postpaid account.
Hackers had obtained unauthorized access but T-Mobile’s cybersecurity team identified and stopped it on August 20th. Although T-Mobile’s written announcement provides no figures about the breach, Motherboard reported that 2 million customers were affected. The Motherboard article also claims that T-Mobile’s spokesperson told them that encrypted customer passwords had been breached. The telco supposedly denies these passwords have been compromised because they were encrypted. This might prove to be a semantic subterfuge. Security researcher Nicholas Ceraolo shared a copy of a hashed T-Mobile password he claims to have obtained from a mutual friend he shares with the hackers; other researchers suggested that T-Mobile may have used a weak hashing algorithm that would be relatively easy to crack.
In 2015 the records of 15 million T-Mobile US customers were compromised when hackers stole data from Experian, the credit rating agency. The telco was proactive in telling customers about that breach; it would be a shame if T-Mobile is now being less transparent about the risks to customers, especially if their passwords may be cracked.
T-Mobile’s share price has dropped a little since the news of this latest breach was made public, but has not seen the significant falls that have occurred following other major hacking attacks on telcos. We shall have to see how severe the impact will be on customers, and whether this leads to any further loss of confidence from investors.
