2 Million T-Mobile Customers Are Hit by a Data Breach

Account information, email addresses, and more were stolen, raising the risk of phishing email for affected consumers

By Jerry Beilinson

August 24, 2018

The exterior of a T-Mobile store in Santa Monica.

Hackers stole data on T-Mobile cellular customers that included their names, billing ZIP codes, email addresses, and account numbers, according to notifications sent out by the company starting late Thursday. The breach was discovered on Aug. 20 and affects about 2 million consumers.

T-Mobile says that no Social Security numbers or financial information were stolen and that it isn't calling on customers to take any action. The company alerted consumers by text message.

Like other data breaches, this incident could leave consumers more vulnerable to phishing schemes, CR security experts warn. "Companies are quick to reassure consumers if no Social Security numbers or credit card numbers were stolen, but other data losses can create just as much havoc," says Robert Richter, who leads privacy and security testing at Consumer Reports.

In a phishing attack, criminals could send a consumer a counterfeit email—with a real account number and billing information—claiming to be from T-Mobile and asking him or her to follow a link and log in. Such an email could be an attempt to trick the consumer into revealing a password.

"It's always better to open a new browser window or tab and go to a company's website on your own," Richter says. "Don't follow links or respond to emails asking for passwords or other personal data. And don't call a phone number included in the email."

This is the latest in a long line of data breaches consumers have learned about over the past year affecting the credit-reporting agency Equifax, the travel website Orbitz, the ride-sharing company Uber, and other companies.

Data breaches involving cellular providers can be especially risky, according to Dan Guido, CEO of the security firm Trail of Bits, if they make it easier for a criminal to take control of a consumer's phone number by porting it to a new phone. That's just one in a rising tide of fraud schemes related to cell phones. If someone does take control of your number, they might be able to use it to change banking passwords and others.

"The lesson for consumers here is that we tend to have misplaced trust in the cellular telephone system," Guido says. Over the past 10 years, banks and other institutions have used SMS messages and phones calls to authenticate users' identities.

The system, called two-factor authentication, typically requires consumers to enter a one-time code sent by text message along with a password to log in to an account. But data breaches and new kinds of cellular fraud are gradually making the practice less effective, Guido says.

To help protect their cellular accounts, Guido says consumers should add a different type of protection that's offered by all of the major carriers, including T-Mobile. It requires a separate password to make changes to an account, such as porting the number to a new carrier.

T-Mobile says that consumers with questions about the data breach can dial 611, use two-way messaging on MyT-Mobile.com, or access the T-Mobile app. "We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access," the announcement said. "We truly regret that this incident occurred and are so sorry for any inconvenience this has caused."

Jerry Beilinson

Jerry Beilinson heads tech journalism at Consumer Reports, directing both product coverage and investigations on issues such as algorithmic bias, the digital divide in internet access, and online privacy. In addition to digital technology, he has reported on and directed coverage of climate change, energy, medicine, sustainable design, infrastructure, and more for multiple publications.