T-Mobile has confirmed hackers breached its systems.
The cell giant, currently merging with Sprint, said in a statement that hackers customer stole names, billing zip codes, phone numbers, email addresses, account numbers, and account type — such as if an account was prepaid or postpaid — in what the company described as an “unauthorized capture of data.”
No customer financial or billing data was compromised, the company said.
It’s not known when the breach occurred but the unauthorized access was detected and shut down on Monday.
A T-Mobile spokesperson told TechCrunch that the breach was “discovered and stopped very quickly,” and “affected a small number” of customers. But Motherboard reported that a spokesperson said about 3 percent of the company’s 77 million users were affected — some 2 million accounts.
T-Mobile began notifying customers of the breach Friday morning with a text message sent to affected accounts. But that drew ire from some, who said the shortlink in the text message looked like phishing.
So @TMobile have been sending out a breach alert (a legit one) using a short URL and a number of people think it’s #phishing.
Why? BECAUSE IT LOOKS LIKE PHISHING! https://t.co/5fZJxaKszd
— 𝐎𝐥𝐢𝐯𝐞𝐫 𝐇𝐨𝐮𝐠𝐡 ⛱ (@olihough86) August 24, 2018
This is the latest in a string of security incidents at T-Mobile in the past year.
In May, a security researcher found a security weakness in a T-Mobile subdomain used by staff, which returned customer data without requiring a password. It was similar to a vulnerability found in another T-Mobile system reported by Motherboard some months prior, which exposed customers’ email addresses, their billing account numbers, and the phone’s IMSI numbers.
T-Mobile and other carriers earlier this year were also forced to stop sharing customer location data with third-parties, after Democratic senator Ron Wyden criticized the cell giants for the practice.