Executive Summary

• CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising the PII records of 30 million T-Mobile users, including their SSN, driver’s license, and date of DoB.
• Based on the timing of the post and the recent T-Mobile data breach, we suspect a connection between these incidents.
• CloudSEK’s Threat Intelligence Research team is validating this post.

Analysis and Attribution

Information from the Source

• On 14 August 2021, a threat actor published a post on a cybercrime forum advertising the PII of 30 million users, including their first name, last name, date of birth, SSN, state, driver’s license number, and date of birth. 
• To substantiate their claims, the actor has shared samples of a few users along with the post and the entire data is being offered for sale for 6 BTC (US ~200,000 or INR ~2 crore).

Information from Open-Source

• Almost simultaneously, news related to a T-Mobile data breach was reported on multiple news platforms such as ET-CISO[1]. The reports indicate that the threat actor responsible is offering the personal data of 30 million customers for 6 BTC as mentioned in the forum post. 
• The report on Vice.com[2] also mentions that although the threat actor's post did not name the victim, their online publication Motherboard contacted the seller, who confirmed that T-Mobile is the affected party.
• Threads from Reddit[3] have confirmed the leak of first name, last name, birthdate, SSN, and DL information of T-Mobile customers. These threads also claim that the leaked database may have been obtained from compromised postpaid users’ information.

The Threat Actor

• The threat actor joined the forum in March 2019 and is quite reputed 
• They have shared posts related to compromised databases and data leaks occasionally.

Incidents Leading to this Post 

• Prior to this post, multiple other threat actors published posts, claiming to have access to SSN, DL, and DOB details of users. However, the number of records mentioned in these posts were different. 
• CloudSEK’s Threat Intelligence Research team is trying to confirm if the said information is related to the T-Mobile data breach. 
• Another post claiming to have access to similar information, with around 70,000 records, was posted on 16 August 2021, along with a few samples for reference. 

• Although the post made by this threat actor has been removed from the forum, the other posts are still available.

• The actor has a good reputation on the forum. 
• The information shared by the actor seems logical and consistent. 
• Most of the databases the actor has shared in the past are legitimate leaks.

• The reliability of the actor can be rated Fairly Reliable (C).
• The credibility of the advertisement can be rated Possibly True(3).

Impact & Mitigation

References 

Appendix