The Washington PostDemocracy Dies in Darkness

Here’s what you need to know about T-Mobile’s latest data breach

It’s worth taking action now, even as the wireless carrier continues its investigation.

Updated May 2, 2023 at 5:11 p.m. EDT|Published January 19, 2023 at 9:07 p.m. EST
The T-Mobile logo is seen on a storefront in Boston in October. (Michael Dwyer/AP)
6 min

This story has been updated to reflect the latest T-Mobile hacking incident.

A “bad actor” obtained personal information — including phone numbers, email addresses, social security numbers, and even account PINs — tied to 836 people, the wireless carrier said in notices sent to affected customers starting last Friday.

That “actor,” who has yet to be identified publicly, is believed to have first gained access to customer information on or around Feb. 24. T-Mobile did not discover the intrusion until March 27 according to a data breach notification the company submitted to the Office of the Maine Attorney General.

“We apologize that this happened and are furthering efforts to enhance security of your information,” the company’s notice reads. Unfortunately, dealing with these kinds of breaches is nothing new for T-Mobile — or its customers.

T-Mobile has dealt with a string of high-profile attacks in recent years, including a 2021 incident that experts at the time called “the worst breach they’ve had so far.” At the time, full names, dates of birth, social security numbers, information from driver’s licenses as well as unique identifiers for customers’ phones were leaked, which put more than 40 million customers at a greater risk of identify theft.

As a result of that incident, T-Mobile agreed to settle multiple class-action lawsuits for $350 million, and pledged at the time to spend an additional $150 million shoring up its data defenses. So far, though, it’s unclear how much that investment has helped: this is the second confirmed data breach the company has faced since announcing it.

While this latest attack has affected a comparatively small number of people, T-Mobile customers should strongly consider taking some time to rethink the way they interact with the company. If you’re concerned that your time with T-Mobile — past or present — has left your personal information vulnerable, here are a few things you should consider doing right now.

Change your password and PIN

Unlike prior incidents, the attacker in this case was able to obtain at least some people’s account PINs — that is, the code you would use to verify your identity when contacting T-Mobile customer service. The company told affected subscribers that it proactively reset those PINs, but it’s also worth taking a moment to make sure your passwords are as strong as they should be.

That’s because the personal information made available through data breaches like these can give an attacker almost everything they need to gain access to your T-Mobile account. And once an attacker has access to one of your accounts, more are likely to follow.

“The data that identity thieves want today tends more often than not to be log-ins and passwords,” said James E. Lee, chief operating officer at the Identity Theft Resource Center. “They want credentials, because that’s what they can use to break into other systems.”

Freeze your credit

“The information obtained for each customer varied,” T-Mobile told its affected users, but among the data up for grabs were deeply sensitive details like social security numbers and government ID.

And that could, unfortunately, come in handy to attackers who want to make use of your credit. That’s why personal finance and identity theft expert Adam Levin says affected customers should freeze their credit reports.

You’ll have to contact each of the three major credit bureaus — Equifax, Experian and TransUnion — with your requests, but freezing your credit is completely free, doesn’t affect your credit score and prevents anyone with your personal information (including you) from opening new lines of credit without securely “thawing” everything first.

Lee couldn’t agree more, noting that freezing your credit is “the most important thing you can do that is preventive” and that there’s little downside to it.

To learn more or to get started freezing your credit reports, check out the Equifax, Experian and TransUnion websites.

Rethink two-factor authentication

If you’re even mildly security-conscious, you might already have two-factor authentication enabled on some of your online accounts — and that’s good thinking. But here’s the rub: If you’re concerned your data has been compromised as part of this breach, it might be time to rethink how you use 2FA.

Let’s say an attacker manages to obtain your name, date of birth and address — if they luck out and find your Social Security number and reused password in other data dumps, that might be enough to give them access to your T-Mobile account. If that happens, you could be vulnerable to what’s called a SIM-swap attack, in which the hacker manages to switch control of your phone number to a phone they control.

That’s bad enough, but what could make it worse is if the verification codes sent by services like Amazon, Twitter and many banks are delivered via text message. In that case, the keys to your online kingdom could be ferried straight to someone else.

One possible fix: Lee suggests using, whenever possible, authenticator apps from companies like Google and Microsoft that live directly on your phone. “Just having the text or the email that goes to the device is not as secure as having that authenticator app,” he said. “We always recommend to consumers that they use that, and to businesses that they offer that.”

Stay vigilant

T-Mobile told its customers that, after discovering the intrusion, it took steps to “terminate” the attacker’s access and implemented “measures to protect against it from occurring again in the future.” Sounds like case closed, right?

Even so, it’s worth keeping an eye on the situation for at least a little longer. In the aftermath of the company’s massive 2021 data breach, T-Mobile confirmed that the scope of the hack was even larger than it had previously reported days after its first public disclosure. (That said, the company told the Post in an email that “all customers have been notified.”)

For what it’s worth, T-Mobile is also offering affected customers two years worth of credit monitoring and identity theft services. If you’ve been caught up in this breach, it’s worth checking to make sure emails from these monitoring services don’t inadvertently wind up in your spam folder.