T-Mobile released a statement on Thursday informing customers that it has experienced a data breach in which attackers were able to gain access to “certain information.” Limited details were immediately available but a spokesperson confirmed that around 2 million customers are believed to have been affected.
Motherboard first flagged the statement that was posted to T-Mobile’s website late on Thursday evening. The company said its cyber-security team first discovered that hackers had gained unauthorized access to its system on August 20. T-Mobile has claimed that no financial data like social security or credit card numbers were exposed, and passwords were also said to be safe. The only information the hackers were able to access was listed as: “name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”
The wording in T-Mobile’s statement is a bit confusing where it says its team “shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities.” That statement appears to imply that information beyond data belonging to customers may have been accessed. A spokesperson clarified to Gizmodo that the phrasing was intended to assure customers that if they were affected by the breach, it does not mean that every category of information that could’ve been stolen was stolen. The spokesperson said the attack came through an API and no corporate information was accessed.
When asked if the company has a sense of how long the attackers may have had access to customer information, T-Mobile’s spokesperson said the company believes the attack was caught and shut down “almost immediately.” The security team isn’t currently aware of the hackers motivations or origins, but could only confirm that the attack came from outside the United States.
Often in cases like this, the number of victims and types of data accessed can change with further research, but T-Mobile told us that its investigation has concluded and that no information is expected to change. The statement does not say how many customers were affected but the spokesperson confirmed to Gizmodo that the company believes it was around three percent of the 77 million T-Mobile customers. That would be about 2 million people.
T-Mobile lists several ways that anyone can get in touch with the company if they have questions or concerns. It said customers it knows to have been affected will be contacted by text message, but it’s always good to be pro-active in this type of situation. Even with limited information, hackers can piece together strategies to commit fraud and identity theft.