T-Mobile US probes claims of 100m stolen customer records up for sale on dark web
Confirms unauthorized access to 'some T-Mobile data.' Plus: Signal expands auto-deleting messages, SIM-swap thief pleads guilty, and more
In brief T-Mobile US is investigating claims that highly sensitive personal data of 100 million customers has been stolen and peddled via the dark web.
On offer is everything an identity thief needs: information like names, addresses, social security numbers, driving license info, and IMEI numbers. 30 million of these records have been put up for sale on an underground forum with the asking price of six Bitcoin, worth around $280,000, Vice reported over the weekend. The rest is being sold privately, we're told.
The seller said it's likely T-Mobile US is up to speed on the security breach because a backdoor used to exfiltrate this data from the telco's servers had been closed. This wouldn't affect the sale, they said.
"We are aware of claims made in an underground forum and have been actively investigating their validity," T-Mobile US told The Register in a statement on Monday.
"Unfortunately, we do not have any additional information to share at this time."
Soon after this article was published, the telco giant shared some of that additional information with us:
We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.
"Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders," it added.
Volodymyr "Bob" Diachenko, an expert in scouring the internet for data-leaking systems, today said he found in mid-July a non-protected, publicly-facing database containing 1.9 million records belonging to the FBI-run Terrorist Screening Center.
This body maintains America's no-fly list, which is part of a larger terrorist watch list. The records apparently included people's names, citizenship, passport numbers, and their no-fly status. The exposed silo was removed in August after Homeland Security was tipped off, said Diachenko.
Signal improves auto-delete
End-to-end encrypted chat app Signal announced some changes last week that should make surveillance a little more difficult. "Words once transiently spoken are now – more often than not – data stored forever," it waxed lyrically in a blog post.
Specifically, Signal has an option to auto-delete messages on both the sender and receiver's devices on a session by session basis. As such, people may forget to use this, or not bother with it. Now auto-delete can be enabled by default across all chat sessions. A countdown timer to deletion can be set from one minute up to four weeks, though Signal warns the system isn't perfect; conversations and pictures can still be screenshotted.
Some bits and bytes...
- Ford's website was running a vulnerable installation of the Pega CMS that could have been exploited to siphon employee information, authentication tokens, and other sensitive internal data. The flaw, CVE-2021-27653, has been patched by Pega, and the Ford website updated, though the researchers who found the hole weren't thrilled by what they said was the automaker's lack of communication.
- Amazon will monitor the keyboard and mouse movements of its support desk workers to catch miscreants misusing or pilfering customer data, it was reported last week.
- Apple emitted another document describing how its controversial system for scanning for child sex abuse material will be protected from abuse.
- Facebook on Friday said it is "rolling out the option to make voice and video calls end-to-end encrypted on Messenger, along with updated controls for disappearing messages."
- Declan Harrington, 21, last week admitted he hijacked victims’ social media accounts and stole hundreds of thousands of dollars in cryptocurrencies via SIM swapping attacks. His accomplice, Eric Meiggs, pleaded guilty in April.
Drupal addresses 'moderately critical' holes
In an advisory on Thursday, Drupal described a "moderately critical" flaw in the third-party WYSIWYG editor CKEditor, which, if enabled on your Drupal system, can be exploited via "one or more Cross-Site Scripting (XSS) vulnerabilities" to potentially perform actions as a logged-in user or administrator.
CKEditor has fixed its flaws; users of Drupal 9.2 should update to Drupal 9.2.4; 9.1 to 9.1.12; and 8.9 to 8.9.18. ®