The Washington PostDemocracy Dies in Darkness

Here’s what to do if you think you’re affected by T-Mobile’s big data breach

It’s worth taking action now, even as the wireless carrier continues its investigation

T-Mobile on Aug. 18 said an investigation into a data breach revealed that hackers obtained personal information belonging to more than 40 million individuals. (Video: Reuters)
Placeholder while article actions load

This week, wireless carrier T-Mobile confirmed reports of a major data breach in which hackers obtained personal information belonging to more than 40 million past, present and potential customers.

And in a sign that the extent of the data breach is more severe than previously expected, T-Mobile on Friday confirmed that personal data belonging to an additional 5.3 million customers was obtained in the hack.

That means full names, date of birth, social security numbers, information from driver’s licenses as well as unique identifiers for customers’ phones were leaked, potentially putting millions of those at a greater risk of identify theft.

Unfortunately, dealing with data breaches is nothing new for the company — or its customers.

For those keeping count, this is the fifth such incident the wireless carrier has suffered in the past three years, but according to Allie Mellen, a security and risk analyst at Forrester Research, this is “the worst breach they’ve had so far.”

T-Mobile says it has “sent communications to millions of customers and other affected individuals” and encourages customers to visit a new webpage meant to help secure those people against “cybersecurity threats.” The company’s suggestions are a start, but if you’re concerned that your time with T-Mobile — past or present — has left your personal information vulnerable, here are a few things you should consider doing right now.

Change your password and PIN

T-Mobile suggests you do this, and the experts we talked to agree — changing your account password and PIN should be one of the first things you do. That’s because the personal information made available through the data breach can give an attacker almost everything they need to gain access to your T-Mobile account. (This is especially true for 850,000 of the company’s prepaid phone customers, who had their account PINs leaked alongside their names and phone numbers.) And once an attacker has access to one of your accounts, more are likely to follow.

“The data that identity thieves want today tends more often than not to be log-ins and passwords,” said James E. Lee, chief operating officer at the Identity Theft Resource Center. “They want credentials, because that’s what they can use to break into other systems.”

Freeze your credit

Some of the deeply personal data made available through this data breach could be a gold mine for attackers who want to make use of your credit. That’s why personal finance and identity theft expert Adam Levin says affected customers should freeze their credit reports. You’ll have to contact each of the three major credit bureaus — Equifax, Experian and TransUnion — with your requests, but freezing your credit is completely free, doesn’t affect your credit score and prevents anyone with your personal information (including you) from opening new lines of credit without securely “thawing” everything first.

Lee couldn’t agree more, noting that freezing your credit is “the most important thing you can do that is preventative” and that there’s little downside to it.

To learn more or to get started freezing your credit reports, check out the Equifax, Experian and TransUnion websites.

Rethink two-factor authentication

If you’re even mildly security-conscious, you might already have two-factor authentication enabled on some of your online accounts — and that’s good thinking. Here’s the rub, though: If you’re concerned your data has been compromised as part of this breach, it might be time to rethink how you use 2FA.

Let’s say an attacker manages to obtain your name, date of birth and Social Security number — if they luck out and find your address and reused password in other data dumps, that might be enough to give them access to your T-Mobile account. If that happens, you could be vulnerable to what’s called a SIM-swap attack, in which the hacker manages to switch control of your phone number to a phone they control. That’s definitely bad, but what could make it worse is if the verification codes sent by services like Amazon, Twitter and many banks are delivered via text message. In that case, the keys to your online kingdom could be ferried straight to someone else.

One possible fix: Lee suggests using, whenever possible, authenticator apps from companies like Google and Microsoft that live directly on your phone. “Just having the text or the email that goes to the device is not as secure as having that authenticator app,” he said. “We always recommend to consumers that they use that, and to businesses that they offer that.”

Keep monitoring the situation

T-Mobile’s investigation is really only getting started, but new updates are being shared at a fairly rapid clip. In the company’s Friday update, T-Mobile confirmed that the scope of the hack was larger than it had previously reported, and noted that in some cases, the attacker also obtained identifiers specific to people’s phones.

There are two kinds of identifiers involved in this mess. First up are IMEI numbers — unique strings of 15 digits — tied specifically to people’s phones. These identifiers don’t contain any personal information, but IMEI numbers can be blacklisted if the device they’re attached to is reported stolen. Theoretically, that means an attacker might be able to temporarily prevent you from using your phone. If someone was able to access your account ——perhaps with a password of yours that was leaked in another other breach ——the hacker could make a quick call to customer service and prevent you from using your phone.

The other identifier — IMSI, or International Mobile Subscriber Identity — can be similarly problematic. IMSI numbers identify your device on the network it’s connected to, and they’re different from the numbers printed directly on your phone’s SIM card. That means you aren’t automatically at risk for SIM-swap attacks if yours is floating around in the wild, but if you have reason to believe you’ve been affected by this breach, it might be worth contacting T-Mobile to see if you need to replace your phones’ SIM cards.