
T-Mobile Database Breach Exposes 2M Customers' Data - Nazzareno
https://www.databreachtoday.com/t-mobile-database-breach-exposes-2-million-customers-data-a-11420
======
seibelj
I have T-Mobile. 6 weeks ago my phone could no longer access the cell network.
The support agent told me that someone went into a store, claimed to be me,
and was able to change the SIM card. The history showed the employee in the
store verified me by my driver's license. We changed the SIM back and
supposedly locked the account.

I use Google Auth OTP for all the accounts that I can, and as far as I can
tell nothing was breached or stolen, but I wouldn't rely on your cell phone or
number for anything whatsoever, it's way too easy to socially engineer, or
have some easily corruptible retail employee steal from you.

~~~
hippich
Similar thing happened to me about a year ago. The creepiest part was - it
happened while I was in the international flight and my gmail WAS on sms "two
factory" authentication... Since then everywhere i can I used OTP, but some
sites fallback to use your phone number if you can't provide OTP password...
So I have to enter some completely invalid phone number there to make it
impossible.

~~~
acomar
There are a few sites that won't accept this and won't even accept a Google
Voice/VOIP number because they do some kind of check. Very frustrating.

~~~
r00fus
Can you provide a number (i.e. POTS) that has no SMS capability?

------
heywot
My favorite part about all of this is that, as a T-Mobile customer, this is
how I find out about the leak. There's not even an alert when I log into my
account. Why can't companies be more responsible about these situations?

~~~
toomuchtodo
If your data was breached, you would've received an SMS message or email.

~~~
heywot
I still think making customers aware would go a long way. And we only have to
go back to the Equifax breach to learn that companies are hardly forthcoming
about who is and isn't compromised.

~~~
toomuchtodo
Your average customer wouldn't care unfortunately. No action to mitigate can
be taken by the user, no business repercussions for the data loss.

~~~
heywot
I get your conclusion but that doesn't excuse T-Mobile from notifying
customers that their data has potentially been breached. I would much rather
be aware that there is a distinct possibility my cell carrier's data on me
because I _can_ take some small actions to mitigate any potential damage
(change password, update pin, etc). Being aware is half the battle with online
security.

I'm not sure that the lack of repercussions is a reasonable excuse. I know
companies will use it. I know we might throw our hands in the air and just say
its a fact of life. But it doesn't _have_ to be.

~~~
toomuchtodo
Legislation is the only solution.

------
wegs
A while back, I ran into a security hole in T-Mobile. Confidential customer
data was quite literally available on the Internet via a Google search. This
was due to a half-dozen missing very basic security precautions (forms using
GET instead of POST, no CSRF, etc., etc., etc.).

I emailed the CEO. It got moved to a team who assured him there were no
problems. The pages got taken down, but the underlying issues were, as far as
I know, ignored (the communication to the CEO was essentially that there were
no issues, and he believed his team over me).

I still trust T-Mobile more than Spring/AT&T/Verizon as a company, but data
security is non-existent.

I'm not quite sure what to do with that.

------
kevin_thibedeau
> But a T-Mobile spokeswoman later told news site Motherboard that "encrypted"
> passwords were in the batch of data.

T-mobile stores plaintext passwords. They recently invalidated a password I
had been using with them for some time because they changed their rules and
disallowed special characters (tons of stupid there). They wouldn't have known
to do that if the passwords were properly hashed.

~~~
tyleraldrich
This isn't necessarily true (and is very dependent on what your password was)
- they could have iterated through lists of common passwords w/ special
characters, hashed them, and compared them to their DB, forcing a pw reset for
everyone that had a match.

edit - just want to state that if they disallow special characters it really
is a terrible policy, my point is just that resetting your password isn't
proof they are stored in plaintext

~~~
kevin_thibedeau
Not salting passwords in 2018 is also idiotic lunacy.

~~~
tyleraldrich
This same exact strategy works with a salt as well.

~~~
lightbyte
He might have been referring to user specific salts? It would certainly be a
lot more challenging for them to test every common password with every user's
salt.

------
mrep
> T-Mobile's assertion that no password information was stolen - and later
> clarification that encrypted passwords were exposed

Call me skeptical considering they said 4 months ago that they store part of
their passwords in plain text:
[https://motherboard.vice.com/en_us/article/7xdeby/t-mobile-s...](https://motherboard.vice.com/en_us/article/7xdeby/t-mobile-
stores-part-of-customers-passwords-in-plaintext-says-it-has-amazingly-good-
security)

~~~
Crosseye_Jack
That was T-Mobile Austria and at the time T-Mobile USA (and iirc a couple
other T-Mobile subsidiaries) said they used a different customer account
system than T-Mobile Austria and handle account passwords differently.

(T-Mobile Austria has since figured out that storing this is a bad idea and
promised to change how they do it. Dunno what they have done as I'm not a
customer of them nor live in Austria, I just remember the the shitstorm on
twitter about it.)

------
ourmandave
Only 2 million?

Seems low. I wonder if they'll adjust it upwards _like every other data breach
that happens every week since I can remember?_

Sadly, I don't even care since I was never a T-Mobile customer and they
already have my entire life like f*cking Keyser Soze 50x times over.

------
bogomipz
And it was only 3 years ago that T-mobile that affected 15 million, which they
largely blamed on Experian at the time.

"On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile
data housed in an Experian server. Records containing a name, address, Social
Security number, date of birth, identification number (typically a driver’s
license, military ID, or passport number) and additional information used in
T-Mobile's own credit assessment were accessed."

T-Mobiles response to that incident was to offer customers 2 years of free
credit monitoring service from Experian. That free service would have ended a
year ago, just in time for the T-Mobile's next breach.

Clearly nothing has changed at T-Mobile.

[https://www.t-mobile.com/customers/experian-data-breach-
faq](https://www.t-mobile.com/customers/experian-data-breach-faq)

------
RobertRoberts
Anyone have any good suggestions for what a customer should do when their
service provider has been breached?

~~~
darkstar999
Change your password and make sure you don't share the same password between
different sites/services.

------
kodablah
> Ceraolo, who says he was not involved in the breach, says he was able to
> confirm that the hacker accessed T-Mobile via a vulnerable API.

I want some details here. Just the other day we had a blog post lauding fairly
open API approaches for client UIs (in GraphQL, but I see similar arguments
elsewhere). Lock your shit down, don't give the frontend more than it needs,
and if you're in a company with some type of ridiculous team separation where
the backend has to treat the frontend as a customer that doesn't work for the
company it's just a matter of time.

Not saying this was a frontend API, just saying it's a frequent vector due to
the lax auth requirements and "internal" query-like approach they often take.

------
akshayB
I think its about time US passes laws that any company that suffers a data
breach is mandated to give a identity theft protection for 1 year to people
who's information was compromised.

~~~
chadlavi
if that were the case, by this point most of us would have lifetime protection

~~~
Broken_Hippo
I doubt that it would stack, though. It'd simply mean that the data protection
companies got lots of money since more than one company would pay for
protection for a single customer. If data breaches somehow stopped today, we'd
all be without "protection" within a year.

------
bogomipz
In looking at T-mobile's home page there is no mention of the breach. Wouldn't
the responsible thing for them to do is post it somewhere high profile that
their customer's might see it?

Instead the notice is buried here which doesn't even appear to be a linked to
on their home page.

[https://www.t-mobile.com/customers/6305378821](https://www.t-mobile.com/customers/6305378821)

------
MrEfficiency
After being a Tmobile customer for 6 years(and leaving this year), I do not
trust a word they say.

Here is a list of unethical things they've done-

>Claim UNLIMITED when restricting people at 10gb hotspot and 50gb data. Their
depriortization is unusable, but they claim otherwise.

>They sent their social media marketing team to astroturf in an /r/frugal
thread critical of tmobile.

>Their customer service person canceled a plan and added a plan when moving
around numbers. I dont know if this was intended or an accident, but after 2
months of paying extra, I asked for a refund, the store wouldnt do it. I had
to call. This was a 2 hour process.

So 2M customer data? Says tmobile.

So no passwords stolen? Says tmobile.

I remember when they were 'the good guys'.

~~~
post_break
Name one carrier that has unlimited with unlimited data, no caps, no slow
downs. Go ahead I'll wait.

~~~
usermac
T-Mobile ONE for US vets. I signed up three months ago and it is truly
unlimited.

~~~
post_break
Still has a cap of 50GB or whatever the current cap is until you get
throttled.

~~~
usermac
"640K ought to be enough for anybody" ;)
[https://www.computerworld.com/article/2534312/operating-
syst...](https://www.computerworld.com/article/2534312/operating-systems/the--
640k--quote-won-t-go-away----but-did-gates-really-say-it-.html)

------
m52go
Purism's carrier-less phone cannot come fast enough.

~~~
shrimp_emoji
Sounds like a regular computer but small and with an LTE modem. That should be
the future, but, barring making cell networks a free, national utility, I
don't understand how there still aren't carriers (ISPs) that map customers to
a device (unless they charge a flat, global fee for general access) and
possess at least some of their data.

(In general, though, SMS 2FA is a bad idea; device, not SIM-based, things like
Google Authenticator are much better and render SIM hijacks toothless as far
as 2FA is concerned. You're still hosed with respect to your payment method,
address, carrier credentials, etc. of course.)

