We’ve reported previously on the issue of “SIM Swapping”, where a bad actor illegally and fraudulently obtains access to someone’s phone line by swapping the SIM card on the line to one they possess. This allows the criminal to use the line to obtain two-factor authentication codes sent to the victim for the purposes of accessing online accounts. Often, this results in the victim losing money, either from their bank accounts or crypto wallets.
Separately, T-Mobile has had issues with data breaches in the past, including one back in September affecting employees of a third-party retailer named Connectivity Source. Now a bad actor appears to be using employee data to contact them offering to pay for SIM swaps.
According to multiple posts on Reddit, as well as separate individuals sending us tips here at The Mobile Report, T-Mobile employees from all over the country are receiving texts offering them cash in exchange for swapping SIMs.
The texts offer the employee $300 per SIM swap, and asks the worker to contact them on telegram. The texts all come from a variety of different numbers across multiple area codes, making it more difficult to block.
The text also claims they acquired the employee’s number “from the T-Mo employee directory”. If true, it could mean T-Mobile’s employee directory, with contact numbers, has somehow been accessed.
It’s also possible the bad actor has live/current access to this data, though we consider that less likely due to the fact that some impacted people are former employees who have not worked at the company in months.
Where did this private information come from?
Still, the biggest issue here is how this person (or multiple people) obtained the employee phone numbers. We’re not sure yet which employees are impacted, but based on comments online it seems at least a few third-party employees are affected, and we’ve independently confirmed current corporate employees have also received the message.
Though we can’t say for certain, this likely means the information is not the same data as what was leaked during the Connectivity Source breach. We can’t, however, eliminate that possibility. As mentioned, there are reports that some of the contacted people are former employees, and haven’t been employed at T-Mobile for months, so the information being acted upon is likely a few months old at the very least.
That being said, we’re pretty confident based on corporate employees being included that this is a different source of data being used.
We reached out to T-Mobile PR and received the following response:
We did not have a systems breach. We continue to investigate these messages that are being sent to solicit illegal activity. We understand other wireless providers have reported similar messages.
T-Mobile
What it means for customers
This news isn’t exactly comforting to customers, either. The fact that criminals still see SIM swapping as a viable way to make lots of money means companies haven’t done enough to help prevent them from happening.
Plus, with so many employees being offered a way to make some quick cash, it’s conceivable that a few of them might take up the offer, which means customer accounts (and money) could be at risk.
What you should do as a customer
Fortunately though, as a customer, you have ways to protect yourself. If you’re concerned about a possible SIM swap, you should take a few precautions.
First and foremost, if you use any services online that have two-factor authentication, be sure it is not SMS-based. Use an app like Google Authenticator or Authy for this purpose instead.
Sometimes, services may have SMS as the only option for two-factor. If this service is a bank or a crypto wallet, consider switching, because that isn’t great. That being said, you should also enable SIM protection on your T-Mobile account. To do this, you can follow the instructions in our guide here.
Hopefully, this isn’t a new breach from the carrier known for data breaches lately. The best case scenario is the affected employee numbers are from the leak back in September, but it’s just as possible this is a new breach or method of access that affects many more.
As always, we’ll keep you updated if we learn more.
