On August 16, 2021, T-Mobile released a statement that unauthorized access to customer data had occurred. The malicious actor, claimed to be John Binns, first gained access into T-Mobile’s servers through an unprotected router on July 19, 2021. ZDNet mentions that from there, he explored security gaps in T- Mobile’s security architecture where he then managed to access T-Mobile’s datacenter in Washington. Over 100 servers were accessed and it took the actor around one week to access servers containing personal data of millions of former, current, and prospective customers. Binns shared screenshots of his SSH connection to a production server running Oracle with Bleeping Computer. On an underground forum, the actor was found selling a sample of the data for 6 bitcoin. According to Bleeping Computer, along with personal information, the IMEI databases dating back to 2004 were also stolen.
T- Mobile was notified of the breach by a cybersecurity company. Wired warns customers that with the stolen data, malicious actors could potentially engage in other types of cybercrimes such as social engineering attacks and SIM swap attacks. T-Mobile brought in KPGM and Mandiant to investigate the breach and also help improve security practices. The carrier is also offering those affected by the breach two free years of McAfee protection as well as Scam Shield and Account Protection Takeover. They are encouraging all customers to reset all passwords and pin numbers, review and monitor credit accounts, enroll in fraud alerts, use identity theft monitoring, and use a password manager.