As we wrap up our Thanksgiving celebrations, T-Mobile should consider giving its own small bit of thanks. Or at least count itself relatively lucky. Two big breaches in two years, and its customers’ financial data was not compromised in either.
In August 2018, the first of the pair exposed about 2 million customer records to hacker targeting and theft, including usernames, phone numbers, emails, zip codes, and weakly encrypted passwords. At the time, T-Mobile gave the standard response about having measures in place to prevent a recurrence of the event. Unfortunately, that protection seems to have only held for about a year. The provider announced a new breach a few days ago, one that impacted over one million prepaid customers through unauthorized access to data. Similar information was affected. Details about the database, breach duration or solution are still scarce, but it seems T-Mobile shut this one down pretty quickly after discovery.
Of course, even with quick response time and the most sensitive data kept safe, cyber criminals are still able to assemble portfolios and false identities based on the very real information left by people’s various online footprints. This is made even easier when Google Cloud servers sit unsecured with 4 terabytes of data on 1.2 billion users: like the one security researcher Vinny Troia found in October. Aside from names and email addresses, the data reportedly included social media profile information, such as Twitter, Facebook and work histories from LinkedIn. “This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale,” Troia said to Wired.
All of the data gathered on platforms like this makes for a dangerous puzzle. In this case, the ownership and purpose of the database, and the origin of its contents, remain in question. Some of it at least appears to have belonged to People Data Labs, which sells such information to customers. Speaking of which, this is a completely legal process, which goes to show how easy it is to obtain information about people online, whether through ‘legitimate’ means or otherwise.
The database has since been taken offline, according to Troia, who also notified the FBI. This is just another reminder of how vulnerable your personal information can be online—how easily it can be compromised. And if yours hasn’t, or your company’s hasn’t, well, that’s just another thing to be thankful for.