30 Million Records from Alleged T-Mobile Breach for Sale

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising the PII records of 30 million T-Mobile users, including their SSN, driver’s license, and date of DoB.
Updated on
April 19, 2023
Published on
August 29, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

Category

Adversary Intelligence

Affected Industries

Telecommunication

Affected Region

Global

Source*

C3

TLP#

AMBER

Reference

*https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a cybercrime forum, advertising the PII records of 30 million T-Mobile users, including their SSN, driver’s license, and date of DoB.
  • Based on the timing of the post and the recent T-Mobile data breach, we suspect a connection between these incidents.
  • CloudSEK’s Threat Intelligence Research team is validating this post.
[caption id="attachment_17789" align="alignnone" width="674"]Threat actor’s post on the cybercrime forum Threat actor’s post on the cybercrime forum[/caption]

Analysis and Attribution

Information from the Source

  • On 14 August 2021, a threat actor published a post on a cybercrime forum advertising the PII of 30 million users, including their first name, last name, date of birth, SSN, state, driver’s license number, and date of birth. 
  • To substantiate their claims, the actor has shared samples of a few users along with the post and the entire data is being offered for sale for 6 BTC (US ~200,000 or INR ~2 crore).
 

Information from Open-Source

  • Almost simultaneously, news related to a T-Mobile data breach was reported on multiple news platforms such as ET-CISO[1]. The reports indicate that the threat actor responsible is offering the personal data of 30 million customers for 6 BTC as mentioned in the forum post. 
  • The report on Vice.com[2] also mentions that although the threat actor's post did not name the victim, their online publication Motherboard contacted the seller, who confirmed that T-Mobile is the affected party.
  • Threads from Reddit[3] have confirmed the leak of first name, last name, birthdate, SSN, and DL information of T-Mobile customers. These threads also claim that the leaked database may have been obtained from compromised postpaid users’ information.
 

The Threat Actor

  • The threat actor joined the forum in March 2019 and is quite reputed 
  • They have shared posts related to compromised databases and data leaks occasionally.
 

Incidents Leading to this Post 

  • Prior to this post, multiple other threat actors published posts, claiming to have access to SSN, DL, and DOB details of users. However, the number of records mentioned in these posts were different. 
  • CloudSEK’s Threat Intelligence Research team is trying to confirm if the said information is related to the T-Mobile data breach. 
  • Another post claiming to have access to similar information, with around 70,000 records, was posted on 16 August 2021, along with a few samples for reference. 
  Updates as of 25 August 2021
  • Although the post made by this threat actor has been removed from the forum, the other posts are still available.
  Source Rating
  • The actor has a good reputation on the forum. 
  • The information shared by the actor seems logical and consistent. 
  • Most of the databases the actor has shared in the past are legitimate leaks.
Hence,
  • The reliability of the actor can be rated Fairly Reliable (C).
  • The credibility of the advertisement can be rated Possibly True(3).
Giving overall source credibility of C3.

Impact & Mitigation

Impact Mitigation
  • The compromised database contains users’ PII information which can potentially be used by threat actors to conduct various attacks such as: 
    • Social engineering attacks 
    • Phishing attacks 
    • Identity theft
  • Update the system and all the applications to the latest patches and versions.
  • Use a regular password update policy, and avoid password reuse for multiple accounts.
  • Use 2FA (Two Factor Authentication) across all logins.
  • Check for any anomalies in the transaction and login information from unknown places. 
 

References 

[ 1 ]-https://ciso.economictimes.indiatimes.com/news/t-mobile-investigating-claims-of-customer-data-breach/85359920 [ 2 ]-https://www.vice.com/en/article/y3d4dw/t-mobile-confirms-it-was-hacked [ 3 ]-https://www.reddit.com/r/tmobile/comments/p68lyt/megathread_tmobile_data_breach_august_2021/  

Appendix

30 Million Records from Alleged T-Mobile Breach for Sale 30 Million Records from Alleged T-Mobile Breach for Sale

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations