100m T-Mobile accounts reportedly hacked, including social security numbers

Originally published at: 100m T-Mobile accounts reportedly hacked, including social security numbers | Boing Boing


I got TMobile so that’s exciting :sweat:


It’s never made sense to me that mobile network operators retain Social Security numbers. If we accept that they need to collect them in order to do a credit check on a new customer signing a contract, I still see no reason for them to retain that piece of information once the credit check has been requested. Likewise the driving license/state identification numbers.

Data is a toxic hazard. Dispose of properly and you won’t have leaks later.


This basically ensures the FCC can never hold any of these companies accountable for bad data handling. Data breaches are complex and hard to investigate. It’s not uncommon for a breach to be attributed to a company that was not the one that was breached. Outside investigations after a breach can take months or years to come to a full conclusion. Requiring the FCC to bring it’s case in one year seems like an impossible burden to meet.

It’s a little sad that SSN’s were leaked instead of credit card numbers, Visa and MasterCard might actually have imposed some financial liability if it was their business that was impacted.


Oh the joy of the modern age.


I am a t-mobile customer, (well, a pre-pay customer). how is it they have my social security number? i didn’t give it to them.


The website HL7.org which is a reference site for the healthcare industry will still send you your original password if you forgot it, i e. they keep it somewhere, and if hacked, the users of that site, people like me who are responsible for medical data/HIPPA compliance/security in the medical field are at risk. Sigh…

Long story short, if you’re on the internet and personally do everything right, if any company has your personal information, you’re still screwed.


Great. I have t-mobile, but only because I used to have sprint…


Nobody has to retain an in-clear password. Industry standard practice is to hash it and compare the hash of what you enter with the stored password hash. Of course, if you choose an insecure hash algorithm, as LinkedIn once had (MD5), then your stored hashes can still be reversed into passwords via a “dictionary attack.”


Same. Starting to wonder if maybe I should jump ship.

1 Like

I’m pretty certain @ashe was just saying that since the site will send you your password in the clear, that means it has to be kept somewhere in the clear


I doubt any other carrier is all that much better.

We keep letting them merge and monopolize.

Eventually there’ll be no altetnative and they’ll be too big to punish.


Likewise I just got a T-Mobile SIM to replace the Sprint one in my phone. I feel really fortunate though because this is only for my work phone. My personal phone is not on the same carrier.

1 Like

Even if it was hashed, salted, and encrypted, having access to all of the systems that can do that is a bad deal. Here’s how it should work.

"When a user changes their password, or when a user account is created, the new password is typed in for the first time, the computer security application takes that password and runs it through a hashing algorithm and stores the resulting number in a database. The next time you try to sign-in and enter your password, the security system runs the password you entered through the same hashing algorithm and checks if the resulting hash matches the hash in the database (a hash is the number that a hashing algorithm spits out). If they match, then you’re allowed in.

No longer are passwords stored in clear text in a database. If a hacker steals the user accounts database, they don’t automatically have all passwords, all they have is a list of hashes."


It isnt so much a worry that your data got “hacked”, the real worry is when it gets sold again.


Lovely. I wonder how far back the data goes.

( I used to be on T-mobile for a number of years until about 2007 ish when I jumped over to another carrier.)

1 Like

That’s why I went with prepaid when I got on T-Mobile in 2013. It’s conceivable that I’ve had a credit card breached, though. They use a third party to process credit card payments, so they might not even have that.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.