T-Mobile Data Breach Forces Customers to Change Their Passwords

Over the weekend, T-Mobile customers started receiving text messages that got them quite worried. Their telecommunication provider had suffered a data breach, which resulted in unauthorized access to customer information, the brief message said. The attack had already been stopped, and the telco was quick to point out that the hackers didn't steal any Social Security Numbers, passwords, or financial information. Users who wanted to learn more were invited to follow a link. Some of you may have already spotted a few problems.

A phishy-looking alert

First of all, T-Mobile hadn't officially announced a breach at the time, which got some people suspicious. When they took to social networks to see if they can figure out what's going on, they realized that not every T-Mobile customer had received the same text message. And they decided to resort to social media because instead of telling them to contact a T-Mobile support agent over the phone, the text message told users to follow a shortened URL for more details.

All in all, the SMS T-Mobile users received had quite a few things in common with the scam messages people have been warned about for years. There was one crucial difference, though – it wasn't a scam message.

T-Mobile really did suffer a data breach

The tweets and posts caught the attention of Alex Wagner from TmoNews.com, who asked some questions and learned that the text message wasn't a scam. T-Mobile had really suffered a data breach.

The shortened URL from the SMS leads to a page that provides a brief account of what happened. Apparently, after breaching the telco's systems, hackers managed to access the personal details of some of T-Mobile's prepaid customers. The stolen information include names, billing addresses, phone numbers, account numbers as well as other data related to the services affected users have subscribed to. The page once again confirms that T-Mobile's security people have stopped the attack and that nothing particularly sensitive has been compromised.

Users are told that they can consider changing their PINs and passwords just in case, and this time, they are assured that if they call one of T-Mobile's customer support numbers, they will be able to get all the information they need.

All things considered, this doesn't look like the worst breach in the world. Even so, it doesn't put T-Mobile in the best possible light.

T-Mobile’s handling of the issue was hardly exemplary

It didn't take long for users to understand that they weren't targeted by a phishing-over-SMS attack, and they were probably relieved to find out that the hackers couldn't steal any especially sensitive information. Those who have been actively interested in cybersecurity will probably see the mistakes T-Mobile made, however.

As we mentioned already, a brief and vaguely-worded text message is not exactly the best way to break the news, and the shortened URL included in it is a downright terrible idea. At the very least, the SMS should have been accompanied by a public statement disseminated through the traditional channels.

In an ideal world, the said public statement would include a lot more information than what T-Mobile has given us in the aftermath of this breach. For example, neither the SMS alert nor the page it links to give users any idea how large the breach was. Even after TmoNews.com asked how many people were affected, the answer wasn't exactly specific: "a very small single digit percentage".

The fact that the number of people who have had their personal data exposed is not very large shouldn't be an excuse for lack of transparency when it comes to reporting an incident of this type. Hopefully, both T-Mobile and other service providers will learn that.