T-Mobile Data Breach Is Reminder to Practice Your Own Cybersecurity

Personal information, up for sale on ‘dark web,’ fuels financial fraud

menacing guy hiding his identity pushed a shopping cart full of stolen identities

John Ritter

Katherine Skiba and Edward C. Baig,

AARP

En español

Published April 01, 2022

/ Updated January 25, 2023

Customer data from 37 million T-Mobile accounts was stolen late last year, the company disclosed Jan. 19.

While no Social Security numbers or financial account information was taken, customer names, account numbers, billing addresses, birth dates, emails, phone numbers and information such as the number of accounts and service plan features were stolen, according to the company, among the three largest U.S. wireless carriers. The breach potentially affects roughly a third of T-Mobile’s customer base.

In a filing with the federal Securities and Exchange Commission, T-Mobile wrote that it “promptly commenced an investigation with external cybersecurity experts, and within a day of learning of the malicious activity, we were able to trace the source ... and stop it.” The company said it believes the hacker first accessed the data trove on or around Nov. 25.

“The malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” said T-Mobile, adding that its investigation is continuing.

But while T-Mobile is not the only company, cellular or otherwise, to experience massive data spills in recent years, this latest rupture was its second major security leak in less than 24 months. In August 2021, T-Mobile revealed that hackers stole personal data on more than 40 million U.S. customers, a figure subsequently revised upward to nearly 77 million.

people walk in front of a t-mobile store front

Hackers stole information on 37 million T-Mobile customers, about a third of its accounts, the wireless carrier said Jan. 19, 2023.

Justin Sullivan / Getty Images

Why a data breach matters

Information powers the fraud industry. Without names, credit card info, email addresses, passwords, Social Security numbers or other personal data, a scammer cannot reach you or pretend to be you.

And so a massive illegal, international underground economy has emerged to serve the needs of scammers. The wares? More than 15 billion pieces of stolen personal data, according to law enforcement and cybersecurity experts with the firm Digital Shadows. That sounds like a lot of data, but it isn’t.

The average person logs in to nearly 200 sites that require passwords or other information, Digital Shadows estimates. Sitting in your computer are endless amounts of personal data that may be useful to a scammer. And so another illegal industry is constantly at work: data stealing.

A near record 1,802 publicly reported breaches of large-organization customer databases occurred in 2022, according to the Identity Theft Resource Center. Most of that data ends up in this dark web marketplace, being bought and sold.

If this info marketplace were an actual mall, the people you’d find there primarily would be hackers who steal the information and sell it in bulk, malicious code writers who help those hackers gain access to your computer by infecting it with malware, and vendors who buy the stolen data, repackage it and sell it to the “end users” — the people actually trying to ensnare you in a scam.

“While no information was obtained for impacted customers that would compromise the safety of customer accounts or finances, we want to be transparent with our customers and ensure they are aware,” T-Mobile wrote in a statement. “No passwords, payment card information, Social Security numbers, government ID numbers or other financial account information were compromised.”

Even if that’s so, risks remain. On his KrebsOnSecurity blog, cybersecurity expert Brian Krebs wrote: “There are currently no signs that hackers are selling this data haul from T-Mobile. But if the past is any teacher, much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.”

How much is your personal identifiable information (PII) worth to scam artists? While many people think a nine-digit Social Security number is their most valuable identifier, “it’s actually worth about $2,” says James E. Lee, chief operating officer of the nonprofit Identity Theft Resource Center in San Diego.

If a Social Security number comes with a name and date of birth, it’s $4 or $5, or about “the cost of a caramel macchiato,” Krebs says.

A person’s credit card information is worth more, about $25 to $35, Lee says. A hacked Facebook account can bring $65, and a selfie photo with a U.S. driver’s license, $100.

Who’s buying this information?

“There are hundreds of thousands of serious ‘threat actors’ throughout the world,” says Robert Villanueva, a retired U.S. Secret Service supervisor who’s now executive vice president of Q6 Cyber in Hollywood, Florida.

Shopping & Groceries

Coupons for Local Stores

Save on clothing, gifts, beauty and other everyday shopping needs

View Details

See All

See more Shopping & Groceries offers >

{"hideCategory":false,"useAlternateLanguage":false,"headlineIconAltText":"","listItems":[{"categoryTitle":"Shopping \u0026 Groceries","categoryUrl":"/membership/benefits/shopping/","categoryDeeplinkParam":"shoppingandgroceries","isLimitedTimeOffer":false,"offerJson":{"dbr_offer_id":"cc10a5160ce1087afc819517a2b9e911","source_name":"Coupons for Local Stores","offer_title":"Shopping Savings Near You","offer_description":"\u003cp\u003eMembers save at a range of local shops and national chains.\u003c/p\u003e","offer_short_description":"Save on clothing, gifts, beauty and other everyday shopping needs","category_list":"shoppingandgroceries","subcategory_list":"","tags":[{"tagID":"dbr:shoppingandgroceries","title":"Shopping \u0026 Groceries","name":"shoppingandgroceries","deeplink_url":"/membership/benefits/shopping/","deeplink_param_value":"shoppingandgroceries","get_offers_url":"/etc/aarp/dbr/ws.api/offers/shoppingandgroceries.json","sub_tags":[]}],"vertical_image_url":"https://aarp.widen.net/content/xhzbaxzkbr/jpeg/258x334-woman-winter-coat-outside-looking-smiling-at-cellphone-shopping-bags.jpeg?position\u003dc\u0026color\u003dffffffff\u0026quality\u003d99\u0026u\u003dqgu0ow\u0026title\u003dCoupons for Local Stores\u0026alt\u003dWoman wearing winter coat and scarf, turtleneck, outside shop window holding shopping bags, looking and smiling at cellphone","image_url":"https://aarp.widen.net/content/fmgbu5vstd/jpeg/1140x641-woman-winter-coat-outside-looking-smiling-at-cellphone-shopping-bags.jpeg?position\u003dc\u0026color\u003dffffffff\u0026quality\u003d99\u0026u\u003dqgu0ow\u0026title\u003dCoupons for Local Stores\u0026alt\u003dWoman wearing winter coat and scarf, turtleneck, outside shop window holding shopping bags, looking and smiling at cellphone","advertisement_flag":"","advertisement_sort_order":"","merchant_phone":"","merchant_phone_label":"","offer_deeplink_url":"/membership/benefits/shopping/even-more-shopping-discounts/","howto_redeem":"Learn More","howto_redeem_url":"https://memberoffers.aarp.org/shopping/","howto_redeem_expired":"Renew to Learn More","howto_redeem_expired_link":"https://appsec.aarp.org/mem/renew","howto_redeem_non_member":"Join to Learn More","howto_redeem_non_member_link":"https://secure.aarp.org/applications/membershipChallenge/showChallengeForm.action?appName\u003daccount","howto_redeem_anonymous":"Join to Learn More","howto_redeem_anonymous_link":"https://appsec.aarp.org/mem/join?campaignid\u003dUASMBP1\u0026intcmp\u003dEWHERE-MBCHAE-LP-MMA-JOIN","howto_redeem_desc":"Follow the instructions on the offer to redeem it in person or online.","member_exclusive_flag":"no","offer_type":"EverGreen","hideLeavingAARP":"false","interstitial_desc":"You’ll leave AARP and go to the website of a trusted provider. The provider’s terms, conditions, and policies apply.","dbr_offer_type":"discount","restrictions":"\u003cp\u003eThese AARP member benefits are provided by a third party, not by AARP or its affiliates. These offers are subject to change and may have restrictions.\u003c/p\u003e","lto_daysleft_start_control":30,"is_redeemable_in_person":"false","is_redeemable_only_in_person":false,"state_blacklist":[],"offer_timing":"anytime","line_of_business":"ASI discounts","asi_category":"ASI Shopping","analytics_brand":"Augeo | Coupons for Local Stores","analytics_offerid":"even-more-shopping-discounts","howto_redeem_already_registered_anon":"Member Log In","howto_redeem_already_registered_anon_link":"https://login.aarp.org/online-community/loginform.action","howto_redeem_already_registered_nonmember":"Link your membership","howto_redeem_already_registered_nonmember_link":"https://secure.aarp.org/applications/membershipChallenge/showChallengeForm.action?appName\u003daccount","offer_keywords":["local","retail discounts","shopping","member benefits","aarp benefits","aarp discounts"],"offer_keywords_spanish":[],"provider_logo":"https://aarp.widen.net/content/tsjfmg2htd/svg/see-more-shopping-red-logo.svg?u\u003dqgu0ow\u0026title\u003dshopping bag red logo icon\u0026alt\u003dshopping bag red logo icon","provider_logo_alt_text":"shopping bag red logo icon","provider_logo_cdn_uri":"https://aarp.widen.net/content/tsjfmg2htd/svg/see-more-shopping-red-logo.svg?u\u003dqgu0ow\u0026title\u003dshopping bag red logo icon\u0026alt\u003dshopping bag red logo icon","provider_logo_width":"","provider_logo_height":"","enable_utm_parameters":"","append_aid_paramter":"","lto_model_heading":"Limited Time Member Offers","lto_advertisement":"Member Exclusive Advertisement","ty_socialMissionFlag":"true","deeplink_param_value":"even-more-shopping-discounts","howto_redeem_2":"Learn More","howto_redeem_already_registered_nonmember_label":"Already a member?","howto_redeem_already_registered_anon_label":"Already a member?","image_alt_text":"Woman wearing winter coat and scarf, turtleneck, outside shop window holding shopping bags, looking and smiling at cellphone","image_title":"Coupons for Local Stores","image_cdn_uri":"https://aarp.widen.net/content/fmgbu5vstd/jpeg/1140x641-woman-winter-coat-outside-looking-smiling-at-cellphone-shopping-bags.jpeg?position\u003dc\u0026color\u003dffffffff\u0026quality\u003d99\u0026u\u003dqgu0ow\u0026title\u003dCoupons for Local Stores\u0026alt\u003dWoman wearing winter coat and scarf, turtleneck, outside shop window holding shopping bags, looking and smiling at cellphone","tab_label_offer_details":"Details","tab_label_restrictions":"Disclosures","geoloc_tab_label":"Locations","disclaimer_label":"","geoloc_provider_legal_info":"","geoloc_miles_label_text":"Miles","geoloc_show_results_within_label_text":"Show results within","geoloc_see_more_button_text":"See More","geoloc_find_location_label":"Find a Location","geoloc_total_results_label":"Result(s)","geoloc_no_results_view_message":"There are no locations within a 100 mile radius. Please try another location","geoloc_tab_hint_text":"Enter an address, city, or ZIP","geoloc_mobile_list_cta":"LIST VIEW","geoloc_mobile_list_cta_url":"","geoloc_mobile_map_cta":"MAP VIEW","geoloc_mobile_map_cta_url":"","geoloc_provider_link_cta_url":"","geoloc_experience_type":"","ty_ctaText":"Continue","geoloc_hide_tab":"true","ty_interstitialText":"Thanks for visiting aarp.org! Come back again to check out all of the AARP Member Benefits and unlock the full power of membership.","howto_redeem_label":"How to Access","ty_interstitialDesc":"Come back again to check out all of the AARP Member Benefits and unlock the full power of membership.","ty_cancelText":"Cancel","ty_interstitialTitle":"Thanks for visiting aarp.org!","lto_daysleft":"Days Left","provider_logo_title":"shopping bag red logo icon","geoloc_hide_see_more_button":"false","geoloc_provider_link_cta":"","offer_page_path":"/benefits-discounts/all/even-more-shopping-discounts/","redemption_content":"","show_phone_number_above_cta":"","restrictions_label":"Disclosures","show_state_availability":"","state_availability_text":"SEE AVAILABILITY IN YOUR STATE","hideRestrictionsTab":"","ltos":[]},"parentOfferJson":{}}]}

This personal data is sold in digital “shops” on the dark web, as well as in more exclusive online “forums” accessible to more sophisticated cybercriminals, Villanueva says.

Malware, or malicious software, is critical to their crimes — because if a computer is compromised with what’s called a keylogger, every letter a person types is revealed to the bad guys, who can grab banking and email credentials and take over these accounts.

Your smartphone is also targeted. “Threat actors are really going after people’s phone numbers to hijack their digital lives, because that’s the weakest link,” Krebs says.

6 ways to stay safe

1. Set up your digital accounts to require multifactor authentication.

2. Freeze your credit card at the three major credit bureaus. Do the same for your dependents’ credit. That helps prevent a scammer with your info from making any major transaction in your name or the name of a dependent. “It’s really the only thing that gives the consumer some amount of control over their identify, when everything else around them is getting breached and stolen,” security expert Brian Krebs says.

3. Don’t save credit card numbers online with merchants or service providers.

4. Activate biometric locks — facial recognition or fingerprints — on your mobile device to safeguard data, should the device be lost or stolen.

5. Use antivirus software and perform recommended cybersecurity updates on your devices.

6. Because your phone number increasingly is being used to identify you, remove it from as many online accounts as possible. You may need to use your number to open some accounts, but go back and remove it later.

This story, originally published April 1, 2022, has been updated to reflect a major T-Mobile data breach.

%{postComment}%

Katherine Skiba is a contributing editor who covers scams and fraud for AARP. Previously she was a reporter with the Chicago Tribune, U.S. News & World Report and the Milwaukee Journal Sentinel. She was a recipient of Harvard University’s Nieman Fellowship and is the author of the book Sister in the Band of Brothers: Embedded With the 101st Airborne in Iraq.

Edward C. Baig is a contributing writer who covers technology and other consumer topics. He previously worked for USA Today, BusinessWeek, U.S. News & World Report and Fortune, and is author of Macs for Dummies and coauthor of iPhone for Dummies and iPad for Dummies.

T-Mobile Data Breach Is Reminder to Practice Your Own Cybersecurity

Personal information, up for sale on ‘dark web,’ fuels financial fraud

Why a data breach matters

Who’s buying this information?

6 ways to stay safe

Benefits Recommended For You