Un-carrier? Definitely Unsecure: T-Mobile US admits 48m customers' details stolen after downplaying reports

T-Mobile US has begun admitting to the theft of 100 million user accounts in stages, confessing overnight that 8 million people's personal details had been stolen from its servers.

In a statement the American mobile operator said: "Yesterday, we were able to verify that a subset of T-Mobile data had been accessed by unauthorized individuals. We also began coordination with law enforcement as our forensic investigation continued."

The story was broken earlier this week by US lifestyle magazine Vice's Motherboard tech offshoot, which spoke to a criminal who posted on a dark web-hosted forum that he had access to 100 million people's data. Vice verified that at least some of the data looked genuine.

At the time, two days ago, T-Mobile confirmed to The Register: "We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved."

Overnight, that position of "no personal data breached" became something much less concrete:

In addition, around 850,000 PAYG customers have, so far, been confirmed by the mobile network operator to have had their names, numbers, and online account PINs compromised.

• Blackbaud – firm that paid off crooks after 2020 ransomware attack – fails to get California privacy law claim dropped
• T-Mobile US probes claims of 100m stolen customer records up for sale on dark web
• Singaporean telco leaked personal data of over 57,000 customers
• Das tut mir leid! Germany's ruling party sorry for calling cops on researcher after she outed canvassing app flaws
• 'I am so TIRED of your bullsh*t...' Sprint boss flips lid at T-Mobile US CEO

"No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed," said T-Mobile in its statement.

Data stolen by criminals included customers' first and last names, date of birth, social security numbers, and "driver's license/ID information for a subset of current and former Postpay customers and prospective T-Mobile customers." Postpay is the American term for a standard mobile phone contract, contrasting with pre-paid/pay-as-you-go.

On the current direction of travel, readers might expect the number publicly confirmed by T-Mobile to slowly creep upwards, though the full 100 million would comprise about a third of the population of the United States.

No information was given by T-Mobile about the attackers' method of entry, though it claimed to have closed off their entry point.

People affected by the breach are being advised by the self-styled "Un-carrier" to change their online PINs. Customers can also sign up for McAfee's ID theft protection service at T-Mobile's expense, the telco said.

While 100 million seems like a large number, it has been dwarfed by other breaches – most notably including the compromise of three billion Yahoo! accounts in 2017. ®