Last updated on April 25th, 2023 at 05:41 pm
T-Mobile has yet again suffered a data breach, this time affecting 37 million customers. The company reported in a press release that criminals pilfered customer names, addresses, email addresses, dates of birth and account numbers by abusing a piece of software called an API that allows computer programs to talk to each other.
T-Mobile emphasized that more sensitive information like credit card numbers and social security numbers had not been stolen, unlike in their 2021 breach.
Still, the information they stole could allow the criminals behind the breach to target T-Mobile customers. And if they decide to sell this data or publish it online, customers could be victimized by many more bad actors.
What are the consequences of this breach? And how can I protect myself?
Chester Wisniewski, Field CTO of Applied Research at cybersecurity firm Sophos, told Wired that leaks like this increase the risk of SIM-swapping attacks.
In a SIM-swap, attackers convince your cell phone carrier to transfer your number to a device they control. This means they receive all calls and texts meant for you. As well as seriously undermining your privacy, this is a huge security risk for at least two reasons.
The first is that some services allow you to reset your password via SMS. This means an attacker who carries out a SIM-swap can change your password and break into your account, at least if you don’t have two factor authentication (2FA) enabled.
The second reason a SIM-swap is a security risk is that it allows criminals to receive your 2FA codes if you use SMS-based 2FA. If they already know your password, or if they can reset it via SMS, then they can break into your account even though you’ve set up 2FA.
To protect yourself from the consequences of SIM-swapping, try to remove your phone number from your online accounts. This means you should also switch to a more secure method of 2FA, such as an authenticator app or a security key, though not all services offer these more secure options.
If you can’t remove your phone number, or if SMS based 2FA is all that’s on offer, another option, recommended by Vice, is to use a Google Voice number instead of your real number. That’s because a Google Voice number can’t be transferred in a SIM-swap as it’s attached to your Google account, not a SIM-card.
A Google Voice number can be transferred if someone gains access to your Google account, though, so lock it down with a more secure 2FA method, like an authenticator or security key.
SIM-swaps aren’t the only possible consequence of the breach, however. The theft of email addresses and phone numbers means the attackers may target you with phishing, smishing, or vishing scams.
In a phishing scam, criminals send you an email in order to trick you into giving away sensitive information, such as your account credentials or credit card information.
They often do this by pretending to be a legitimate company and asking you to click a link and log in to your account. However, the link leads to a fake website controlled by the scammers, and logging in gives them your username and password.
Phishing emails also try to make you panic so you act quickly and don’t notice red flags, such as an incorrect URL on the website asking for your username and password. For example, a phishing email might tell you your account will be suspended if you don’t act fast or claim there was a suspicious transaction on your account.
Smishing and vishing are just like phishing, except that in a smishing scam you’re sent a text and in a vishing scam you’re contacted via a voice call.
So, if you receive an email, text or voice call that asks you to reveal sensitive information, either directly or by clicking a link, be extra careful.
If you’re not sure if a communication is legitimate, get in touch with the company who supposedly sent it and ask them directly. Just make sure you get their contact information from a trusted source, like their real website, and not from any of the suspicious communications you’ve received.
With their stunningly poor track record of 8 breaches in 5 years, T-Mobile is failing their customers. They need to take real action to step up their security and stop making it easy for cybercriminals to steal sensitive data.