TMO Statement so far:
1 Like
We don’t know anything yet, the statement @alphawave7 just posted is “we’re working on it”. The Equifax hack was 100% negligence, and if this ends up being an insecure partner API or an unsecured ElasticSearch DB left-open, that’s on tmo.
2 Likes
… and when it rains, it pours. Bad day to be Legere.
2 Likes
Close the government, Colonial, etc 
2 Likes
There is a difference between a system secured based on best practices and complete negligence. That should definitely be a differentiating factor in these investigations.
1 Like
Yea for sure. If they implemented best practices and processes, punishing them doesn’t really do anything. The problem with system vulnerabilities is that you don’t know what you don’t know. However if it’s clear that they were negligent, cutting costs, ignoring best practices, etc. then there should absolutely be consequences.
1 Like
Notable highlights include that your information may be out there even if you just applied for an account but never opened one… 
-
Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.
-
Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile.
-
At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed.
… we really need those penalties mentioned above for companies pulling shenanigans like this, especially if they’re going to be holding onto historical data like this for who knows how long.
3 Likes
Yay, another free 2 year identity monitoring service! /s smh
5 Likes
I’m going to say something wildly unpopular. With every data breach, our “personal data” becomes a lot less personal and a bit more public. Time to start treating your name, ID numbers (DL, SSN), and contact information like a license plate - visible to everyone, but basically useless except those who have the keys to use it.
In other words, freeze your damn credit bureaus unless you need them open. Use multi factor authentication everywhere you can. Secure with biometrics when possible. Do that, and you just get used to the fact that this data is out there and you’ve now made it nearly worthless to those who try to use it.
Edit to add: I’m not saying you need to be happy or support companies that don’t respect and secure your data. I say this as a POed T-Mobile customer.
6 Likes
Companies need to stop treating last 4 of the SSN as a valid way to prove identity to gain access. Please enter your DOB and last 4 of SSN is the biggest BS in securing anything.
2 Likes
It’s time to stop using social security numbers for anything…
1 Like
you are still going to need some sort of a universal ID number, but you are right, in this day and age something more modern and secure would make more sense. Blockchain concept is very well suited for this.
For sure. Social security numbers weren’t made for a digital world. Give me a block chain number or something. Of course, I have no idea what I’m talking about.
Now that the T-Mobile number is roughly only 8M customers and 40M applicants, AT&T would like you to hold its beer 
These hacks make you more prone to SIM Swap attacks (to get your SMS 2FA messages)
Which is why
3 Likes
I got the wife on Yubikey for her work stuff, but I decided I couldn’t fight BofA and USBank who refuse to do any other verification other than SMS. So I set about buying a prepaid SIM, and have an old phone, both completely unrelated to my current TMO plan, just for SMS verification. There is no private or public record of this number, and SMS verification is all it gets used for…from a TMO reseller called Ultra Mobile, and works out to $3/ month, paid annually with a business credit card.
1 Like
I just received a text from TMO saying that my information leaked was limited to name, address, phone and DOB.
They say my SSN, financial accounts, bank/debit cards were not leaked.
How do they know exactly what was stolen ?
Depending on how they stored the data and the storage type, your data could be divided into different categories and stored across multiple databases/tables/collections. For example, the user profile information might be stored in one table while the financial info/SSN might be stored into another. Depending on the security hole, the hacker could have accessed the user profiles but not the financial one. Using the audit trail they can discover what data was accessed by the hacker.
2 Likes
I’ve used them before, they are fine. Just don’t forget to renew and lose access to that phone number!
The Wirecutter has updated their 2FA guide for anyone considering it
The apps without cloud syncing are more secure, but their recommendation, Auth, is much easier to manage when you get a new phone (which can be a nightmare with RSA and Google Authenticator).
Not that TMO has disclosed the source of the intrusion yet, meanwhile WSJ interviewed the hacker who p0wned them
I mean, why would the nation’s 3rd largest mobile provider, I don’t know, have secure routers?
“I was panicking because I had access to something big,” he wrote. “Their security is awful.”
He said it took about a week to burrow into the servers that contained personal data about the carrier’s tens of millions of former and current customers, adding that the hack lifted troves of data around Aug. 4.
If you are a TMO customer because their service is cheaper, I’m sorry you are getting exactly what you paid for.
1 Like
I don’t have access to WSJ, but from you’ve posted it doesn’t even sound like a hack tbh. Their entire security was based on the logic that the perimeter is impregnable so anyone who’s in the internal network has the right to be there?!? If that’s not the case, breaching a single unsecured router shouldn’t give you access to individual servers and definitely not to PII data. It also took him a week to get to the data. So no audits, no alarms, nothing? It just sounds like the whole network was setup by a lowest cost vendor and never setup for any kind of proactive threat assessment.