back to article Un-carrier? Definitely Unsecure: T-Mobile US admits 48m customers' details stolen after downplaying reports

T-Mobile US has begun admitting to the theft of 100 million user accounts in stages, confessing overnight that 8 million people's personal details had been stolen from its servers. In a statement the American mobile operator said: "Yesterday, we were able to verify that a subset of T-Mobile data had been accessed by …

  1. sev.monster Bronze badge
    Coat

    Whew, so glad I didn't sign up with these folks. I was turned off by their disgusting website and confusing pricing models. It seems MVNOs were not affected either, so anyone using T-Mobile service without actually being signed up for T-Mobile is safe... Gotta love how that works.

    1. Malcolm Weir

      Re: What's the problem?

      Not sure how anyone can describe T-Mobile's pricing as "confusing" (at least, not compared with the other carriers).

      Here's how it works: you buy a phone. They'll let you pay for it over 24 or so months with no interest as long as you have a service plan. If it's locked to them, they'll send you the unlock code on request.

      Then you buy a service plan. Some have features others don't, some are only available to eligible customers. If you don't like the plan you selected, change it.

      No contracts, no "free phones", no crap.

      Don't get me wrong: they're a phone company so there are all sorts of oddities, annoyances and so on. But that's the case with all US "postpaid" providers. T-Mobile just has fewer than AT&T and Verizon...

      1. sev.monster Bronze badge

        Re: What's the problem?

        I remember it being less than transparent with a number of hidden fees (I read the fine print), add-on packages, and multiple plans with conflicting objectives. It's been a while since I last looked, and it does seem like they've minimized and consolidated their plan offerings since then. That's great, but if we are comparing companies directly, then I'm perfectly happy with Mint—again, same service as T-Mobile without dealing with them directly.

        I'm not interested in buying a locked phone or leasing, so I have no reason to investigate any further.

        The site is also still not very good.

      2. jaffy2

        Re: What's the problem?

        Their unlimited packages also include taxes so if it’s $55 for two lines then that’s the monthly bill - no state or local taxes and e.911 surcharge. I’d say that’s pretty transparent.

        It’s not the same customer service since John Legere left but no price increases and free international data keep me happy!

  2. a_yank_lurker Silver badge

    Pay as you Go

    I use a 'Pay as you Go' plan. This means I buy the phone at retail upfront and pay an open ended subscription to my credit card. But I do not have a formal contract nor does the carrier require any information for credit approval. I got away from contracts when I could because the games played to extend the contract. I have had the same carrier for several years now (no plans to switch).

    1. JimboSmith Silver badge

      Re: Pay as you Go

      I use a 'Pay as you Go' plan. This means I buy the phone at retail upfront and pay an open ended subscription to my credit card. But I do not have a formal contract nor does the carrier require any information for credit approval. I got away from contracts when I could because the games played to extend the contract. I have had the same carrier for several years now (no plans to switch).

      Yep I'm the same but I've never had a mobile contract.

  3. Pascal Monett Silver badge
    Trollface

    "we have not yet determined that there is any personal customer data involved"

    We have not yet determined that the stolen personal customer data includes credit card numbers and unencrypted passwords.

    We have not yet determined that the personal customer credit card data has been used.

    We have not yet determined that the customers' bank accounts have been emptied.

    We have not yet determined that the customers' credit ratings have been demolished.

    We have not yet determined whether we will sue a surprisingly large amount of customers that haven't honored their contractual obligations and appear to have a very bad credit rating.

    1. Lil Endian
      Trollface

      Re: "we have not yet determined that there is any personal customer data involved"

      Your satire describes nicely how the poor(er) might will pay the price.

      Well, we wouldn't want those unfortunate profit makers of the world to suffer just because of their own shenanigans - would we?!

      Please Help George!

    2. Anonymous Coward
      Anonymous Coward

      Re: "we have not yet determined that there is any personal customer data involved"

      "We have not yet determined that the customers' credit ratings have been demolished."

      I don't need a data breach of any type of business to help with that; I can wreck my own credit without the help. Hey, crooks: good luck draining accounts that are empty or using closed credit cards!

      (Anon for obvious reasons.)

  4. Jim Mitchell Silver badge
    Facepalm

    I've had a mobile for years in the US and I don't think any carrier has asked for my SSN. Was this part of a credit check process and T-Mobile kept the number on file for some mis-guided reason?

    1. J. Cook Silver badge

      Yes, it's usually for a credit check, which is absolutely not what the social security number was ever intended for, but was turned into the uber-indentifier for US citizens for most of their financials, state driver's licenses (until the fed bluntly told them to stop) and any other number of things.

      1. Anonymous Coward
        Anonymous Coward

        Yes, uber-identifier

        I wish I still had my original Social Security card, isued 60+ years ago, because it bore the clear statement: Not to be used for identification.

        The replacement I obtained years later does not.

    2. Anonymous Coward
      Anonymous Coward

      SSN for t-mob

      I don't know what T-Mobile requires now, but way back in the day one of the companies subsequently bought by T-Mobile required SSN and a whole shedload of data that one hopes is no longer being requested (honestly, if I don't pay the bill just turn off the damn service, simples). So the t-mob might have inherited a bunch of these details from acquisitions of early operators and like any good hoarder simply kept it all regardless of whether it's still necessary.

  5. Nunyabiznes

    customer

    I'm a customer and have had 0 contact from T-Mobile about this. Good thing I read El Reg. I mentioned in an earlier article that I would be surprised if they did contact me, so I guess I'm right so far.

    1. Lil Endian

      Re: customer

      I hope Troy Hunt has reserved some extra bandwidth to handle the incoming for you and others.

    2. Old Handle

      Re: customer

      My dad got a text about it, I didn't. Possibly because I've only ever had a pre-paid plan, where as he's had both kinds over the years. Remains to be seen though I guess.

  6. Mike 137 Silver badge

    Just US subscribers?

    It would be interesting to know whether the data of subscribers outside the US landed up in the repository prior to the breach, and thus might have been leaked alongside that of US subscribers.

  7. tekHedd

    Shouldn't I be hearing this first from T-Mobile?

    I'm a T-Mo customer. Almost 20 years now... Why do am I learning about this from the news instead of the company that I supposedly have a longstanding business relationship with?

    Disappointing but not surprising.

    1. simkin

      Re: Shouldn't I be hearing this first from T-Mobile?

      It probably takes a while to decide to notify millions of people that you've kept 20 years of personal information online and accessible to hackers and have therefore lost it.

      1. J. Cook Silver badge
        Flame

        Re: Shouldn't I be hearing this first from T-Mobile?

        The fun part will be that, as a former T-mobile customer who went to a different carrier a number of years ago, I'd like to know a) if they still have my information on file from over 10 years previous; and b) if so, WHY IN THE FIREY INFERNAL REALMS DO THEY STILL HAVE THAT INFORMATION?!?!?!?!!??!

        ::sighs and goes over to the credit bureaus to ask for yet another "information theft" lockdown::

  8. Henry Wertz 1 Gold badge

    It is confusing

    Both posters are right -- at the moment, T-Mo has a pretty nice summary of plans, you pick one of the confusingly named plans (Magenta and Magenta plus are both "unlimited", but one's more unlimited than the other...) and it goes to a nice summary telling the difference between the plans at a glance. It's not too confusing right now. And second poster accurately describes T-Mo's phone payoff (which is how all the carriers here do it now -- except AT&T, who are evil and list their phones at about the same monthly price, hoping you won't notice the tiny tiny fine print stating it's for 36 months rather than the 24 everyone else is doing, getting them like $300+ extra cash out of you.

    First poster is also right, recently they had a summary chart, but with asterisks where they now have info in the chart ("unlimited hotspot*", "unlimited data*") so it just looked like several plans with everything unlimited with no reason to have different prices, until you plowed through fine print. Since they'd also just bought Sprint, they also had a *second* page of plans that were broadly similar (+/- $10 or so on the price, similar features.. but look at the fine print and since it was a different cell co the throttle speeds, cutoffs, etc. are all a little different; the Sprint plans tended to have far more full-speed hotspot.) I don't blame T-Mo on this one though, it's better to keep old plans their just-purchases customers may want available than to immediately ditch them.

    Not that the other carriers are better -- I have Verizon Wireless, and they now have *five* unlimited plans, a set of limited data plans, seperate plans for "connected devices", tablets, hotspots (one with unlimited data, but only available based on where you live -- which makes a bit of sense, their network is a tad congested in some areas and selling unlimited home internet in those areas would not be great.) I'm in a sweet grandfathered plan, but *that's* confusing!

    The surprise to me is that it was the T-Mo side cracked into -- Sprint's been infamous for having a mess of a backend system for 10+ years, and I honestly just assumed it was the Sprint side cracked into.

  9. Anonymous Coward
    Anonymous Coward

    Ahh, I am devalued again. The personal information data base inflation from all of these massive hacks means my personal data now sells for less than a dogecoin in the open dark market. Then again, it ain't worth more than that anyhow.

  10. Horst U Rodeinon

    The horse is already gone from the barn, dammit!

    I received a similar notice from the university in a town where I lived 20 years prior, Thing is, I never attended a course there so how they came to have any information about me is a puzzlement. And, would you believe, they told me they could not remove my personal information from their database(s). After stating my opinions of the incapacity of their IT staff, I changed all the numbers and closed all the accounts I could. After three years, I've not had a problem but that doesn't mean I don't still keep an eye out.

  11. HildyJ Silver badge
    Holmes

    SNAFU

    That they were hacked is troubling but not surprising.It seems like everybody is getting hacked these days.

    What is surprising is that, unlike most hacks, they have announced that affected customers will get two years of McAfee's ID theft protection service at T-Mobile's expense. A definite step up from the traditional "We are sorry for the inconvenience."

    1. devnullified

      Re: SNAFU

      Do you work for tmobile or any of their vendors?

  12. Anonymous Coward
    Anonymous Coward

    McAffee huh? so they are doubling down with Malware on top of ID theft

    While the usual credit monitoring hand waving has sadly become an industry norm, the McAffee version of it is hardly an improvement. McAffe software is cancer for your computer, and the company has had a checkered past with leaking customers information itself. Hopefully T-Mob will be stuck with a class action suit as victims find out their "free" service tries to convert to a paid account after a year.

    We should be banning these companies collecting or holding this information unless a 3rd party has confirmed they are using and storing it correctly.

    Also hello to the tmobile social media team which appears to be here in full force. Where is that 200ish bucks for the "rebate" you never sent on my blackberry curve from more than a decade ago? Still waiting. You may have forgotten me, but I assure you I remember you.

  13. devnullified
    FAIL

    They dont have access to their systems

    Contacted them

    Asked to reset my pin

    They keep stallin

    Keep sending nonsense

    1 hourlater and they wont reset my pin

    Heted the chat log

    How can I help you today?

    How to change my pin

    Thank you for messaging us. Looks like there’s a wait, but we’ll be with you as soon as we can. We appreciate your patience. Self-service options are available at https://t-mo.co/selfservice

    Life is boring if you're not smiling. Hi there! This is Princess one of the well trained expert here at T-Mobile. Let's put a smile on your face today. Thank you so much for your time and effort to messaging us. It seems that you want to change your pin, is that correct?

    Yes

    Hello?

    Would you mind me asking, Dev Null why would you like to change your pin?

    Bc tmobile failed to do its job and screwed all of us

    Oh my! Can you tell me more what happen, Matthew? I want to help you on this.Tmobiles incompetence to protect its own customers. 100 million customers are affected. Name ss address etc all compromised bc your executives are too stupid to realize they had been hacked. They had to be told. But i am sure they collected their bonus for meeting metrics they set up and were able to cheat. Meanwhile they failed. Does that help capture the cust care directive for those that want ro know if customers are even aware? Tmobile is no different than comcast or att....tmobile didnt proactively notify...they let media outlets do it Your ceo cfo cio xiso cmo will all laugh about tomorrow... they are prime examples of incompetence greed and self congratulatory inbred shills. Cant wait to find out which law firm is doing the class action suit. So… princess can you help?Can you unsell my onfo off the dark web? Can you convince your Chekist goons to undo their failure?

    I cant wait for that attention whore of a ceo to do his media tour of how hard he is working. Tell him to take a knee.

    So...reset my pin

    Princess...are you still wanting to help?

    Dev Null I'm so sorry about what happen, but I just want to ask is this all about the data breach?

    I'm still here, Dev Null. ❤️

    Duh...yes

    Leave off the infantile emojis

    I see. No worries, Dev Null because we are working around the clock to understand all the potential impacts on you and all of our customers. We have not finished the investigation to determine whether your personal or customer data was involved. The investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment, we cannot confirm the reported number of records affected or customer impacts.

    Bulllllllsshhhhhhiiittttt

    You didnt write that

    That came in your inbox from legal.

    Hi there! My name is Carl, the supervisor of the expert. I saw your conversation and I want to personally thank you for allowing us to help you today.

    Bullllshhhhiiit

    I'll be sending you updates to your number.

    What is your canned message from legal?

    That you "understand?"

    That you are "in this together?"

    I get updates b4 you do

    Carl...do you really think a pdf from your lawyers will make this any better?

    100 million records of PII for sale

    Why would yo think some "we are working hard" but refuse any responsibility pdf would do any good?

    And i still dont have my pin reset.

    What ...no heart emoji? Carl... watch Office Space. You need more flare. Carl i am not smiling...is life boring?

    Carl....reset the pin.

    Carl????????

    Should i purchase your ss# and email and drivers license and address off the dark web?

    Mine is now out there bc of tmobiles total incompetence

    Cant wait to find out it was an AWS bucket with no security on it.

    Carlll....princess.... are you there?

    Cant wait to post on reddit... SANS ..

    So far your failure to reset my pin has only made this a better post for reddit.

    Carlopierre...are you making me wait bc you got ur feelings hurt?

    Princess can you send Carlopierre a heart emoji?

    Sorry for the wait . We are offering McAfee ID Theft Protection Service for free, for more information see Cyber Security Incident August 2021. To sign up for the service send callers to https://www.t-mobile.com/brand/data-breach-2021/next-step

    Its too late...information already sold

    Free? This is just as insulting as if you had offered me a $10 credit. This is as clownish as when Equifax had to do this.... 90% of the country already has this bc of equifax. And your cyber sec ins pays for this. This literally costs tmobile nothing.

    Reset the pin

    Or can you not reset the pin bc the breach also locked you out from your own systems? That will make a helluva news story for www.theregister.co.uk

    Every minute u delay is additional proof u cannot reset. Every minute is a larger payout from class action.

    Mcaffee....lol..

    What else you got?

    How about u refund my annual expenditures with T the Breached Mobile for the last 9 years...

    How about your entire c suite of clowns and ass hats resign and go to jail?

    We understand you . We will be updating you regarding this matter.

    Dont need an update

    You need a good legal team

    And no...u dont understand...so patronizing

    Reset the pin

  14. Lucy in the Sky (with Diamonds)

    No Plan is a Viable Plan

    I personally am a great fan of pre-paid mobile phones.

    Once a Vodafone agent cold called me, to convert to a plan, and I asked the agent “Do you know who I am?”

    The agent pondered on this for a moment and said. “No, I do not”

    “Precisely” was my reply…

    The trick is to not tell the cell phone provider who you are, and if they get hacked, the hackers will have the same information the cell phone company has, which is nothing…

  15. Claverhouse Silver badge
    Thumb Down

    I Would Run a Mile...

    ... from any company that wanted my National Insurance number [ = SSN ], driver's licence, etc. for anything I would be paying money to them for.

  16. Version 1.0 Silver badge
    Joke

    My data is safe

    I use Google Fi which means a common connection via the T-Mobile network, I'm so happy that my data is safe ...

    It's just been sold.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021