
T-Mobile reveals data breach, customer account info accessed - el_duderino
https://www.t-mobile.com/responsibility/consumer-info/cpni-notice
======
StudentStuff
I was affected by this, they SIM swapped a line on our account twice, both
times on Friday at 5:23pm (followed by swapping the old SIM back at 5:42pm).

Just received the CPNI notice today from T-Mobile, we had a 6 digit PIN set
prior to the first SIM swap on January 10th, and changed it before the
following SIM swap on January 17th.

T-Mobile told me these swaps occurred at a store for both attacks. I did
remove all authorized users from the account prior to the SIM swap on the
17th. T-Mobile has refused to provide Seattle Police Dept with any info about
the fraudulent activity, and left me in the dark prior to the letter today.

~~~
lotsofpulp
We need legislation around liability for SIMs, as every single large financial
institution seems to be using SMS messages as proof of identity. Better yet,
we need legislation that protects individuals from liability if a business
uses SMS as proof of identity.

Edit: For ATT, I don’t know what power they give their employees to change or
bypass people’s passcode, but as a user, all you need to reset passcode are
last 4 digits of account owner’s social, billing zip code, and access to one
of the phone lines on the account where they will send an SMS to verify you’re
one of the people on the account.

I would hope that for much stricter processes to reset passcode, like a
notarized letter or showing passport and physically going to a store to prove
identity.

------
SanchoPanda
The language is so full of weasel words I find it almost offensive, given the
context.

may have impacted, quickly shut down, immediately commenced, leading ...
experts,

For the future, lawyers, here you go: [http://matt.might.net/articles/shell-
scripts-for-passive-voi...](http://matt.might.net/articles/shell-scripts-for-
passive-voice-weasel-words-duplicates/)

------
pianoben
This is the most content-free disclosure I've seen in a long, long time.
Things I'd love to have seen:

1\. attack vector

2\. time when attack was detected

3\. time attack was mitigated

4\. scope of impact

There isn't even a single date! This could apply to just about _any_ breach at
any time.

/rant

~~~
StudentStuff
1\. A store location or locations was compromised

2\. January 10th was when we notified T-Mobile of the attack

3\. Likely sometime between January 17th (the last successful SIM swap attack
we experienced) and January 24th.

4\. Who knows? T-Mobile refuses to disclose any info to the police :P

~~~
zhoujianfu
Is it possible to give more details on all this? I was sim-swapped on the 21st
resulting in a sizable bitcoin theft. I’d really appreciate it if you could
email me at my contact email on my profile with any note it do you have.
Thanks so much!

~~~
sinners0101
What is your email exactly sir? Might have some information that you would
appreciate.

~~~
zhoujianfu
Hey, if you see this, email me at joshster@gmail.com.. thanks!

------
RKearney
The language here is worded in such a way that a non-technical person would
believe that there's nothing T-Mobile could have done to prevent this from
happening. I was hoping to hear why employee email accounts contained customer
addresses and phone numbers but it doesn't appear like they think that's a
problem, nor do they mention it in the closing section on what they plan to do
to prevent this in the future.

~~~
ac29
I would imagine it is difficult to do customer service for a phone carrier
without using phone numbers in internal emails. Customer addresses could just
be something like "customer is reporting poor service at their home address:
123 Xyz Lane, etc". Presumably all orders placed electronically contain a
phone number and address as part of the invoice, so that may be part of it as
well.

~~~
rovr138
If it’s a note on the account, there’s no need for the address.

If it’s a message to amother team (engineering?) to check the antenna out,
then why just send the general address? ‘Customer at XYZ Lane is reporting
poor service’

No need to tie the user in there or their property number. The antenna will
cover the area easily enough.

------
altmind
T-Mobile plaintext password data breach thought to be imminent

[https://www.reddit.com/r/sysadmin/comments/8aem4n/tmobile_pl...](https://www.reddit.com/r/sysadmin/comments/8aem4n/tmobile_plaintext_password_data_breach_thought_to/)

~~~
meowface
That was posted in April 2018. Very unlikely there's any relation to this.

Also, the OP added that representatives only see the first 4 characters of a
password in plainext. That's still absolutely horrendous and unjustifiable,
but not as bad as full plaintext storage.

------
usr1106
Of course the typical non-information made up by a PR department and cleared
by legal...

So they are saying a contracted Email provider was compromised. It should not
be a big secret what provider T-Mobile uses in the US. Microsoft? Gmail? ...?

~~~
dvtrn
Earlier today this happened: One of my employers strategic partners is a
national telecom and cellular provider. You probably have their service. Just
happens to not be t-mobile in this case.

Anyway we were working on a project regarding turning down some MPLS circuits
at a data center we are exiting and one of the engineers from this telecom
asked us to submit further updates and status changes to a personal yahoo
email address of his.

I’m still waiting on a response from our account manager if this is standard
and expressing concern.

The director of my business unit was apoplectic when I showed him.

This will be an interesting conversation.

~~~
usr1106
This happened to a US Secretary of State...

But seriously, T-Mobile talks about their provider, not about a random
employee using an unauthorized one. Even if their statement has little
substance, I assume it is not directly untrue. But even that happened
before...

------
romdev
I have T-Mobile and auto-pay with a credit card that has had 6 fraudulent
transactions in the past week. Might not be related.

------
kaycebasques
Who is the best provider out there in terms of PII protection? And how do you
know?

~~~
krackers
Probably Google Fi, but the lack of customer support can be both a strength
and a weakness there

~~~
VistaBrokeMyPC
I've actually had good encounters with Fi support. Funny enough, I think it's
the only Google service that I've been able to get a human to talk to for an
issue.

------
justlexi93
T-Mobile says that no financial data or social security numbers were accessed
in this data breach, but account info like name, billing address, and phone
number was accessed.

