T-Mobile has alerted hundreds of customers who were targeted by cybercriminals trying to hijack their SIM cards.
The company contacted the targeted customers over the last two weeks, after Motherboard revealed that a bug on a T-Mobile website allowed hackers to access customers’ personal data such as email address, account number, and their phone’s IMSI, a standardized unique number that identifies subscribers.
Before T-Mobile patched the bug on October 10, hackers had been taking advantage of it to pull customers’ personal data and then use it to impersonate them. No password, social security, or financial information was exposed in these attacks, according to a T-Mobile spokesperson.
The ultimate goal was to hijack or “swap” the victim’s SIM cards. This gives the criminals a chance to take over their phone number and then move onto targeting other online accounts that might have been linked to the number, such as email and banking accounts, according to a blackhat hacker who is familiar with these attempts and requested to remain anonymous. (To prove he knew about these attempts, the hacker sent me my own account’s data.)
This is a relatively rare, but extremely dangerous kind of scam that can even be used to steal SMS-based two-factor authentication codes, giving cybercriminals the ability to hack into your account if they can also steal your password.
Read more: The Motherboard Guide to Not Getting Hacked
On Monday, a T-Mobile customer support representative called to inform me “of a detected alert” about my personal information. On Wednesday, a company spokesperson confirmed via email that T-Mobile has contacted “a few hundred customers” who were impacted.
“If you were impacted you were called,” the spokesperson told me on the phone.
“We found that there were a few hundred customers targeted,” the spokesperson later said in a statement. “We take our customers’ privacy very seriously and called all of those customers to inform them that some of their personal data appeared to have been accessed by an unknown third party. We also offered to work with them to ensure their account remains secure.”
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
The spokesperson did not specify exactly how many customers were targeted.
The bug was reported in early October by Karan Saini, a security researcher. As it turns out, however, hackers had known about the vulnerability since at least August 6, when a hacker uploaded a tutorial on YouTube on how to exploit the vulnerability.
Initially, when Motherboard and the researcher reached out, T-Mobile said that there was “no indication that [the bug] was shared more broadly.” On October 11, a T-Mobile spokesperson said that “as of this time we’ve found no evidence of customer accounts affected as a result of this vulnerability.”
Clearly, that was not the case, and security experts criticized T-Mobile for not detecting these attacks earlier.
The T-Mobile customer support I spoke with said that someone was trying to duplicate my SIM card and that’s why they were calling. The representative suggested changing the online account password, and set-up a “SIM lock.” This forces more stringent controls when someone tries to get a new SIM card for a customer’s phone number.
If you were targeted by hackers taking advantage of this bug, T-Mobile should’ve called you. But if you’re worried someone might target you in the future in a similar way, the company recommends setting up a phone password or passhprase that is only requested when you call T-Mobile support on the phone and is separate and different from the one you use for your online account. This, just like the SIM lock, adds another layer of security and makes it harder for hackers to hijack your phone number.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.