T-Mobile underwent two data breaches early in 2023, in January and in April. In September, new data emerged pertaining to an earlier breach, and a minor incident happened in which some customer information was exposed to other customers.
Below is a full timeline of the T-Mobile data breaches, starting with the most recent.
September 2023: 89 GB of T-Mobile Employee Data Posted to Hacker Forum
On September 21, a trove of stolen data was posted to Breached forums, a popular hacker forum. The 89 gigabyte cache largely pertained to T-Mobile employees, including email addresses and partial Social Security Numbers, as well as some order information pertaining to T-Mobile customers.
This data was tied to an April breach of Connectivity Source, a T-Mobile retailer. T-Mobile itself denied the breach, and does not appear to have been directly hacked as part of this incident.
September 2023: System Error Exposes Data on T-Mobile Customers
In late September, a glitch at T-Mobile exposed customer and payment data pertaining to fewer than 100 customers. Some T-Mobile customers discussed this data leak on Twitter, stating that the T-Mobile app was showing them information on other customers, including phone numbers and billing addresses.
According to T-Mobile, the issue was connected to an overnight technology update and involved very limited account information. Additionally, the company stated that the glitch was quickly corrected.
April 2023: T-Mobile Discloses Second Data Breach of 2023
On April 28, T-Mobile notified 836 customers that their data had been compromised in a breach. Though the scale of this attack was more limited than their January breach, it included highly sensitive data, such as social security numbers, government ID data, and T-Mobile account pins.
January 2023: Hacker Uses API to Access Data on 37 Million Accounts
In January 2023, T-Mobile announced that a “bad actor” exploited an API vulnerability to obtain information from customer accounts. While the exact impact of the data breach isn’t known, up to 37 million postpaid and prepaid accounts are potentially affected.
T-Mobile identified malicious activity – which took place in November 2022 – on January 5, 2023, and contained the incident within 24 hours. The company states that no sensitive information – such as credit card numbers – was gathered by the attacker during the hack.
However, the company admits that some personally identifiable information, such as names, billing addresses, phone numbers, and emails, was breached. The company began notifying customers whose details were compromised in January 2023.
August 2021: Hackers Steal Data on Nearly 77 Million T-Mobile Customers
In August 2021, T-Mobile announced a data breach involving 40 million T-Mobile customers. Over time, the number of impacted customers climbed, ultimately reaching 76.6 million. Highly sensitive data was gathered by hackers, including names, Social Security numbers, and information from driver’s licenses.
The data featured a mix of current customer records and individuals who applied for credit with T-Mobile. Account numbers, phone numbers, passwords, PINs, or financial data like credit card numbers were not part of the breach.
In June 2022, T-Mobile agreed to a settlement on a class-action lawsuit filed by customers who were harmed in the breach. The wireless company agreed to pay $350 million to settle claims made by customers and an additional $150 million to improve its cybersecurity measures.
December 2020: Hackers Access Customer Information on 200,000 Accounts
In January 2021, T-Mobile announced a data breach that it detected in December 2020. Unauthorized access to customer information was detected, and the company took swift action once it identified the attack to prevent further data acquisition.
In total, around 200,000 T-Mobile customers were impacted by the breach. The hack specifically involved “customer proprietary network information (CPNI),” such as phone numbers, the number of lines on accounts, and some call-related data. Customer names, email addresses, financial details, passwords, PINs, and Social Security numbers were not stolen during the incident.
March 2020: Hacker Accesses T-Mobile Employee Email Data
In March 2020, T-Mobile announced a data breach involving employee email accounts, some of which held data on T-Mobile customers and other employees. The wireless company belied the information gathered could have included names, addresses, phone numbers, account numbers, and more. Additionally, a group of users had more sensitive data – including Social Security numbers and financial information – compromised during the attack.
The number of impacted customers and employees wasn’t disclosed. However, notifications went out to customers and recommended specific security measures, such as updating passwords and PINs.
November 2019: Over 1 Million Prepaid T-Mobile Customers Impacted by Data Breach
In November 2019, T-Mobile announced a data breach involving more than 1 million prepaid customer accounts. Hackers accessed personal information, including names, addresses, phone numbers, and account numbers. Credit card information and Social Security numbers were not part of the breach. Additionally, passwords weren’t compromised.
The attack itself was detected in early November 2019, and T-Mobile took immediate action to halt it. The exact nature of the hack wasn’t disclosed, and T-Mobile didn’t state how long the information was exposed before the attack was identified.
August 2018: Data on 2 Million T-Mobile Subscribers Stolen
A relatively short attack occurred in August 2018, but it nonetheless exposed a significant amount of T-Mobile subscriber data. By exploiting an API with a vulnerability, hackers were able to gain access to a database and collect information on an estimated 2 million T-Mobile subscribers.
Customer names, account numbers, billing address zip codes, phone numbers, and email addresses were potentially exposed during the incident. Financial data and Social Security numbers weren’t stolen. Additionally, passwords weren’t accessed.
T-Mobile informed the impacted customers with relative speed, primarily recommending password changes and vigilance. The company also broadly recommended regular password changes as a security measure to all customers, regardless of whether they were impacted by the breach.
October 2017: Website Bug Exposes Customer Data
In October 2017, reports emerged about a website bug that exposed customer data by making it possible for hackers to gather information. Attackers simply need to know or guess a customer’s phone number as a means of obtaining data, including information like account numbers, email addresses, and IMSIs, numbers that identify individual devices.
Using the flaw in the site, hackers could have potentially scraped data on any number of T-Mobile subscribers, which totaled around 70 million at the time of the incident. However, T-Mobile stated that only a small portion of its customer base was affected by the breach.
The issue was subsequently patched. However, hackers reported that the vulnerability was potentially used more broadly than previously expected, potentially for SIM swapping or similar activities.
October 2015: Data on 15 Million T-Mobile Subscribers Stolen from Experian
While the incident, which was reported in October 2015, didn’t involve breaching T-Mobile systems, the impact directly hit the wireless company’s customers. Names, addresses, birth dates, Social Security numbers, driver’s license numbers, and passport numbers were compromised, with approximately 15 million T-Mobile customers being impacted.
Hackers breached the Experian network and collected T-Mobile data. The data was provided to Experian for the purpose of conducting credit checks on customers who wanted to finance phones or open up new accounts with the carrier.
The hack involved data provided by customers over the course of more than two years. All victims were notified by Experian and offered credit monitoring.
November 2009: Millions of T-Mobile Customer Records Stolen and Sold to Rival Companies
Reports emerged in November 2009, outlining a T-Mobile data breach impacting potentially millions of customers. Customer records were acquired and sold to rival carriers, giving them information about customers – including contract end dates – that companies could use to attempt to lure customers away from T-Mobile.
During an investigation, T-Mobile approached a watchdog group after identifying evidence that an employee was illegally selling customer data to others, primarily turning to brokers who would then resell the information. T-Mobile instituted safeguards to prevent similar activity in the future. The exact number of impacted customers wasn’t clear, but the total number of records reached into the millions.