T-Mobile Data Breach
On Monday, August 16, T-Mobile issued a public statement stating that unauthorized access to some of their user data had occurred. In the days that followed, it would be uncovered that more than 50 million individual user records may have been exposed. Personally Identifiable information such as names, addresses, phone numbers, and social security information was available for sale in the underground forums for as little as six bitcoins, or roughly $270,000.
Just how did this all happen, and what could T-Mobile have done differently? The answer is a surprisingly simple one – as we’ll see in this blog, very basic security practices should have been in place to prevent this breach from ever occurring
In this blog, we’ll review how this all took place and what they could have done differently to stop this attack. We’ll start by drawing out a timeline of the events as they took place and see how a 21-year-old American in Turkey took down a multibillion-dollar company by not following basic security practices.
August 15, 2021 –
The news of a potentially massive data breach was first reported by Motherboard on August 15. A user on a Tor underground forum was attempting to sell 30 million SSN’s and driver licenses for six bitcoins. When the motherboard private messaged the user directly, they confirmed this data came from “T-Mobile USA. Full customer info,”
While we don’t know how long they had access to the T-Mobile data, the seller confirmed their access was already blocked: “I think they already found out because we lost access to the backdoored servers.”
August 16, 2021-
On August 16, Jeremy Kirk on Twitter provided proof from the attacker that a misconfigured GPRS gateway allowed them to compromise the internal system. Apparently, the gateway was used for testing but left exposed to the public internet. From there, the attacker was easily able to pivot to the internal network by brute-forcing and credential stuffing SSH servers. Eventually, he made his way into an Oracle Database server that stored the customer data
T-Mobile is no stranger to high-profile breaches, but this paints a bleak picture even for them. Not only did they leave a public-facing gateway misconfigured and open for intrusion, but once inside, they appeared to not have basic security measures in place like rate limits on SSH attempts. Limiting SSH failed attempts, which is considered a basic security practice, would have stopped this breach in its tracks, and proper logging would have notified the security team of failed attempts.
Once inside The Oracle server, the attacker was able to exfiltrate large amounts of data until it was eventually noticed by T-Mobile and access shut down. In total, over 106 GB of customer data was exfiltrated by the attacker.
The same day, on August 16, T-Mobile issued a public statement stating that they were working “around the clock to investigate claims being made that T-Mobile data may have been illegally accessed.”
August 17, 2021-
The following day, T-Mobile confirmed that nearly 50 million current and former users might have been impacted by the breach, and the data may have included customers’ first and last names, date of birth, SSN, and driver’s license/ID information. They also advised that any current T-Mobile customer should proactively change their account pin number.
August 20, 2021
The days that would follow would not bode well for T-Mobile. An additional 6M+ current or former customers would also be impacted with additional user data, such as IMEI and IMSI information potentially collected as well.
August 26, 2021.
In an interview with the Wall Street Journal, a 21-year-old American living in Turkey named John Simms claimed to be behind the breach. According to the report, the attacker had access to T-Mobile’s server since July before his access was cut off. He said, “I was panicking because I had access to something big. Their security is awful.”
August 26 lawsuits
A pair of lawsuits also ensued claiming T-Mobile had “failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers.”
In an official statement from T-Mobile, the CEO Mike Sievert essentially confirms what John Simms previously said by stating the attacker “used brute force attacks and other methods to make their way into other IT servers that included customer data.”
What could they have done differently?
Perhaps the most frustrating aspect of this breach is that basic security controls that would have prevented this were not in place.
For starters, a gateway used for testing should not have had any access to internal resources. This is where the concept of segmentation and security policies comes into play, especially on devices used for testing.
Once inside, the attacker used brute-forcing and SSH credential stuffing to log into the Oracle DB with the customer information. As part of any good password policies, rate limits should be put in place. After a limited number of bad attempts, the attacker should have been locked out, and notifications to the security team should have gone off.
Once inside the Oracle DB, the attacker was allowed to exfiltrate over 106 GB of user data undetected. This is where proper detection and response protocols should have been in place to notice the large amount of data being transferred from a critical system.
Post Mortem / Ramification
While T-Mobile is offering two years of identity protection for impacted users, it doesn’t even begin to address the fallout that could result from this massive data breach. All in all, the user data collected from the breach includes:
- Customer Name
- Social Security Numbers
- Phone numbers
- Account pins used to access the account
- IMEI and IMSI
With this kind of information for anyone to purchase, impacted users are at high risk of identity theft.
Unfortunately, the risk doesn’t stop. Michael Krebs, from KrebsonSecurity, has an article on the “Lifecycle of a Data Breach.” The article reviews how information from past data breaches is typically used and recycled by attackers over time. Particularly, T-Mobile users are likely to be targeted by specific phishing messages, account takeovers, and SIM swaps.
In fact, according to Business insider, users are already receiving phishing text messages on their T-Mobile phones.
Phishing attacks will likely leverage the public attention of the data breach to send affected users targeted emails. Now armed with your personal information, attackers could easily craft a phishing email, text message, or phone call to make it appear even more legitimate.
SIM swaps are particularly scary because attackers now have names and phone numbers of more than $50 million users. With so many account services offering SMS-based password resets, an attacker could easily reset an online password to their device using a SIM swap. High-profile users should be on particularly high alert for this kind of attack, now that their phone numbers are exposed to the world.
T-Mobile is suggesting that all users reset their account passwords in an attempt to thwart account takeovers. However, most services also use the last four digits of a user’s social security number as a passcode or backup verification method. An attacker possessing your name, SSN and DOB has what they need to take over your account. This should serve as a warning to not just reset your T-Mobile passcode but also your passcode to other services you use and make sure the provider does not bypass that passcode with information the attacker may already possess.