The T-Mobile data breach from earlier this week definitely happened, and it was indeed very bad.
According to the company, approximately 7.8 million current T-Mobile postpaid customer records were stolen, as well as “just over 40 million” records of “former or prospective customers who had previously applied for credit with T-Mobile.”
While that may not be as bad as the 100 million stolen records initially reported by Vice, it’s still a massive data breach and an embarrassment for T-Mobile, which apparently shut down the leak on its servers only after finding out about it on an online forum.
According to the company, some of the data stolen include customers’ first and last name, date of birth, Social Security number, and driver’s license or ID information. For postpaid accounts and former and prospective customers, no phone numbers, account numbers, PINs, passwords, or financial information was compromised.
For 850,000 active T-Mobile prepaid customers, it gets worse. T-Mobile says their phone numbers and account PINs were also exposed. T-Mobile says it has already reset all the PINs on the accounts, and it will be notifying them “right away.” It’s worth noting that no Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.
T-Mobile says it’s taking immediate steps to help protect the customers affected. These include offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service, recommending all T-Mobile postpaid customers change their PIN, offering postpaid customers extra protection with its Account Takeover Protection feature, and publishing a web page on Wednesday with information related to the data breach.
There’s no two ways about it: This is very, very bad. It’s definitely positive that no financial information or passwords were compromised, but the data breach leaves T-Mobile customers open to identity theft and phishing attempts.
This is far from the first data breach T-Mobile has suffered — though it’s definitely among the worst. The company suffered breaches, albeit on a smaller scale, in 2018, 2019, 2020, and earlier in 2021.