Application Security , Encryption & Key Management , Identity & Access Management

T-Mobile Database Breach Exposes 2 Million Customers' Data

Attacker Wants to Sell Stolen Data, Security Researcher Warns

T-Mobile's Times Square store in New York City (Source: T-Mobile)

T-Mobile says it quickly shut down a cyberattack against a database, but the incident may have exposed personal data for 2.3 million of its 77 million customers. And it appears that the person responsible for the breach may be keen to sell the stolen data.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

T-Mobile says in a statement that it detected and quickly blocked the attack on Aug. 20. But the attacker still managed to obtain customers' names, ZIP codes, phone numbers, email addresses, account numbers and whether the accounts are prepaid or postpaid.

"We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access," T-Mobile says. "We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you. None of your financial data - including credit card information - or Social Security numbers were involved, and no passwords were compromised."

But a T-Mobile spokeswoman later told news site Motherboard that "encrypted" passwords were in the batch of data.

Security researcher Nicholas Ceraolo says he obtained a sample of the data from someone who is a friend of the person who stole it. Ceraolo says he's heard that the person responsible for the intrusion wants to sell the data.

Ceraolo, who says he was not involved in the breach, says he was able to confirm that the hacker accessed T-Mobile via a vulnerable API.

Hash Questions

T-Mobile's assertion that no password information was stolen - and later clarification that encrypted passwords were exposed - has led to questions about whether the stolen password data puts customers at risk. Ceraolo shared with Motherboard a cryptographic hash that he believes came from the T-Mobile theft.

Ceraolo tells Information Security Media Group that he shared the sample with Motherboard to create awareness about the intrusion and help save "people from a huge headache."

Motherboard reports that it is possible the hash was created using the MD5 algorithm. The publication passed the hash to Jeremi Gosney, a password security expert and founder of Terahash, who says he's still unclear as to what algorithm may have been used.

"I was only ever provided one hash, so I have not made any progress," Gosney tells ISMG. "Cracking one single hash out of millions is difficult - even more difficult if you do not know what the algorithm is."

Most service providers store passwords as hashes, which are mathematical representations of a plain-text password. Hashes are supposed to be irreversible, meaning that it's not possible to take the hash and figure out of the real password.

"Cracking one single hash out of millions is difficult - even more difficult if you do not know what the algorithm is."

—Jeremi Gosney, Terahash

But MD5 is no longer considered a safe algorithm for hashing. MD5 hashes can be quickly generated in order to find a matching password, which is often referred to as password cracking.

In light of the many data breaches, some service providers are moving to bcrypt, an algorithm considered more resistant to cracking attempts. That's because password-cracking rigs can't generate bcrypt hashes nearly as fast as MD5s. But MD5 is still prevalent, Gosney says.

"Bcrypt adoption is still pretty low," Gosney says. "MD5 is by far and wide the most common."

If the leaked T-Mobile password hashes were indeed MD5, it may indicate that T-Mobile isn't keeping up with the best security practices.

Asked about how many encrypted passwords might have been exposed, how it hashes passwords and whether or not they've been "salted," referring to the practice of adding random data to a password before hashing it to make it tougher to crack, T-Mobile declined to comment. "We don't discuss publicly how we encrypt passwords," the company tells ISMG.

Phone Number Thefts

T-Mobile's breach and the subsequent leak of customers' personal information comes as concern rises over attackers taking control of consumers' phone numbers, in what is known as a SIM hijacking attack.

One way the attack can be carried out by is by social engineering a customer service representative. An impostor pretends to be the authorized mobile account holder by providing the authentication information requested. The victim's phone number may then be transferred to a new SIM card held by the attacker.

SIM hijackings are dangerous because many online providers consider a phone number as a key piece of authentication. Two-step verification codes are often sent over SMS. Also, some service providers will send a code via SMS in order to reset a password, allowing attackers to take over someone's account without capturing login credentials and completely bypassing two-factor barriers in place.

In the wake of its breach report, T-Mobile has obliquely alluded to these risks. In a tweet, the company advises that "if you do not already have a PIN/passcode on your account, you should add one because you could be at risk." An additional PIN or passcode could stop or at least slow down attackers, but that's only if mobile providers actually request it during a service call.

We have a number of safeguards in place to monitor and respond to these attacks. Fortunately, we discovered this activity quickly and shut it down. If you do not already have a PIN/passcode on your account, you should add one because you could be at risk. *JohnKinder — T-Mobile Help (@TMobileHelp) August 24, 2018

Earlier this month, cryptocurrency investor Michael Terpin sued AT&T for allegedly failing to prevent his mobile number from being seized twice in about seven months. Terpin saw $24 million worth of virtual currencies that he was holding get stolen, and that is just one incident among many that have leveraged SIM hacking to steal virtual currency (see AT&T Sued Over $24 Million Cryptocurrency SIM Hijack Attacks).

After Terpin's phone number was taken over the first time, AT&T stepped up the security on his account and added a six-digit passcode, he alleges in his lawsuit. But Terpin further alleges that AT&T customer service representatives didn't ask for the passcode before his phone number was taken over the second time. He has suggested that an insider may have been working with attackers.

(Executive Editor Mathew Schwartz contributed to this story.)