Update 9/22: T-Mobile has provided the following statement.
There has not been a T-Mobile data breach. The data being referred to online is believed to be related to an independently owned authorized retailer from their incident earlier this year. T-Mobile employee data was not exposed.T-Mobile Media Relations
Our coverage below has been edited to reflect this information.
T-Mobile really cannot catch a break lately.
Just yesterday, on September 20th, we reported that the official T-Mobile app was showing personal account information to other customers, and today we’ve learned that there’s been a separate massive data breach.
As first reported by vx-underground on Twitter, a T-Mobile third party has had over 90GB of data exfiltrated and sold online.
The breach is also not related to yesterday’s app glitch.
Initially, the source believed the data was customer data, however we now know the breached data was in fact employee data. Multiple databases have apparently been accessed, and the examples shown may only be the tip of the iceberg.
As shown by a follow-up tweet from the same user, the data in question was a wide variety of employee data.
The data includes names, employee IDs, dates of hire and termination (which means even former employees may be impacted), job titles, email addresses, employee login IDs (NT IDs), area and region of employment, and Social Security Numbers.
It also appears the service account details for employees was breached. IMEIs, account numbers, plan types, and more were dumped.
The data was apparently accessed back in April, a mere 1 month after the March breach. The data only became available online earlier today for sale on black market sites and places like Telegram and Discord.
The data was leaked via a T-Mobile third party retailer called Connectivity Source.
Connectivity Source is a third party “premium retailer” of T-Mobile service. They operate third party stores nationwide, with stores from California to New York to Florida.
The second source claims the data includes sales data / analytics, T-Mobile support calls with customers, employee credentials, partial SSNs, email addresses and other unspecified customer data.
So far, there are claims that no customer data is involved in this particular breach. However, the second source does mention “Customer data” as being a part of the leak. Sources suggest this refers to “customer support calls”, though it’s unclear if they are recorded calls or transcribed calls with any sensitive data censored.
It’s easy to see how data of this kind could be used to assist attackers with SIM swap attacks, identity theft, or more. This data could easily have been used over the past 6 months to exploit employees or their accounts to access internal systems.
Sadly, data breaches seem to be the norm for T-Mobile lately. As mentioned, an app bug yesterday morning allowed customers to view and edit (and even make payments on) accounts that did not belong to them. Back in May, the company announced the February/March breach which impacted 836 customers.
We’ll update this post if and when we learn any additional info.