Telecom giant T-Mobile has been hacked. AT LEAST 49 million accounts have been compromised. The leaked data includes things like:
- Full names
- Phone numbers
- Account PINs
- Social Security numbers
- Driver License numbers
All the information someone would need to ruin your credit. Served up on a smorgasbord by some magenta-clad moron out in Bellevue, WA.
Details are still sketchy regarding how hackers were able to get into T-Mobile's systems, and I assume they'll remain so. What matters now is those records, reported to be 49 million by various news sources (but closer to 100 million according to the hackers), are now for sale online. The thieves are looking for close to $300,000 for the records.
This is a real bummer for anybody who uses the "Un-Carrier" for their mobile phone service. Unfortunately with hacks like this, there's no real way to undo what's been done but we have a few suggestions.
If you're a T-Mobile Customer:
- Change your PIN - Every account has a PIN (personal identification number) associated with it. Since PINs were compromised in this breach for between 49 million and 100 million accounts, there's a decently good chance yours was one of them. Honestly though, even if your's WASN'T one of the compromised accounts you need to log in and change your PIN immediately, just to be safe.
- Enroll in the FREE Identity Theft Protection Program T-Mobile is Offering - Shortly after the hack was made public T-Mobile announced they'd be offering customers two FREE years of Identity Theft Protection via McAfee's ID Theft Protection Service. They're also encouraging people to sign up for T-Mobile's Account Takeover Protection service. You'll be able to find out more information regarding these things via the T-Mobile customer portal.
- Change Your Password Too - While you're in their system you might as well change your password. It's good practice to change your passwords regularly to maintain good security hygiene and there's no time like the present to start doing so.
General Advice for Anybody Reading this (T-Mobile Customer or Not)
- Run a Leaked Credential Report - Most people don't know how to see whether or not their credentials have been exposed. That's where services like Have I Been Pwned come in. The service keeps track of data breaches and allows users to enter their email addresses and see if it's been exposed on the Dark Web. Results come up instantly and they tell you which services you use have been compromised. Security7 offers a similar service for businesses, that you can sign up for if you're worried your business email has been compromised.
- Monitor and/or Freeze Your Credit Reports - This is a legitimate pain in the rear end but it'll protect you better than anything else. The three big credit bureaus (TransUnion, Equifax, Experian) all allow people the ability to not only check their credit scores for free once a year but the ability to FREEZE their credit report as well. Once frozen no one can open up new accounts in your name (using information potentially stolen from T-Mobile or somewhere else). Now, if there's a downside to this (and there is), it's this; you'll need to jump through hoops to unfreeze your credit reports and it'll cost you a couple of bucks in the process. Yeah, it's still better than having your identity stolen, but it's a hassle and the credit bureaus are not...user-friendly. Of course, your mileage may vary.
- Close Zombie Accounts - Braaaaaains! Sorry, couldn't resist. A zombie account is an account you signed up for or opened and then promptly abandoned. Maybe you didn't like the service. Maybe you completely forgot about it. Either way, it's out there, shuffling along on the internet, just waiting to be snatched up. Trying to remember where you spread out information can be difficult, thankfully most internet browsers record password instances and a simple search through your settings could reveal where some of these are. If you're a more advanced user you might even have a password management service that does the very same thing. The important thing to do is spend some time finding out where these accounts are and then terminating them with extreme prejudice like you're a member of the ever-present biker gang in a George Romero movie and you're out hunting the undead.
Other than that there isn't much more you can do. Unfortunately, it's a waiting game. It's not a matter of if your information will be leaked, it's a matter of when. It's going to happen. There's no way around it's just a question of if it'll be today or tomorrow. It's coming. Be ready for it.