In brief We’d say you’ll never guess which telco admitted to a security breakdown last week, but you totally will: T-Mobile US, and for the second time this year.
“The information obtained for each customer varied, but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts, and the number of lines,” the “Un-carrier” explained in its letter.
T-Mobile has had tens of millions of customer records compromised over the years.
Its first reported breach was in 2018 when two million records were accessed along with hashed passwords, and a year later more than a million customers had their data exposed.
In this case, an attacker with control over Thread Context Map input data in environments with non-default logging configurations is able to craft malicious input data that can leak information and enable remote code execution.
“We have admissions data from thousands of students,” the attackers declared, claiming they had 1.2TB of data and that they’re ready to use it.