A little over two weeks ago, the news dropped like a bomb. T-Mobile, the global telecommunications giant, had been hacked. And hacked badly. The gargantuan data breach compromised nearly 55 million current, former, and prospective customer accounts — and not just usernames and passwords. Birthdates. Social Security numbers. Driver’s license numbers. IMEIs (device IDs) and PINs. About the only thing the fraudsters didn’t swipe were credit card details.
T-Mobile CEO Mike Sievert says that with the help of the cybersecurity experts at Mandiant, they’ve at least identified the bad actor (reportedly a 21-year-old American named John Binns). They’ve also figured out how he got in: through T-Mobile’s testing environments. Once inside, Binns used brute force to tunnel into millions of user accounts.
A Truly Brute Attack
“Brute” is actually apt here because the T-Mobile cyberattack was indiscriminate and massive, gobbling up even the data of past and potential customers, including T-Mobile Metro account holders. The cybergrinch responsible stripped T-Mobile prepaid user account info, too, all the way down to the PIN, which T-Mobile has proactively reset for all primary account holders. No Sprint prepaid or Boost customers seem to have been looted.
If you somehow managed to escape the hack, you’d already know: T-Mobile put a banner up on your account page. (Check out MyT-Mobile.com now if you haven’t already.) If not, assume the worst. For former and prospective T-Mobile users whose data got filched — all 40 million of you — expect a call from T-Mobile in the next couple of weeks.
Since the mammoth mid-August attack, T-Mobile has been in full damage control mode. Besides resetting pay-as-you-go user PINs and reaching out to the millions of past (and future) T-Mobile customers whose SSN were swiped, T-Mobile has taken some immediate steps that CEO Sievert outlined in his official mea culpa1 on the T-Mobile blog.
Long-term, T-Mobile is now working with both Mandiant and KPMG LLP on getting their cybersecurity up to snuff. In Sievert’s own words: “These arrangements are part of a substantial multiyear investment to adopt best-in-class practices and transform our approach.” Which may leave many of the 54 million-plus Americans, whose driver’s license numbers are now for sale in lots on the dark web, wondering why “best-in-class practices” weren’t already part of T-Mobile’s approach.
Additionally, T-Mobile is offering victims two years of McAfee ID Theft Protection services on the house, while promoting their own Scam Shield as part of an ongoing consumer “scam awareness” campaign.
What Can I Do if Hackers Got into My T-Mobile Account?
No matter how you feel about T-Mobile’s “we got hacked badly but here’s how you can avoid getting hacked” online security philosophy, ramping up your digital hygiene is always a good idea. In fact, with the insane spate of fraud reports rolling into the FCC’s inbox in the past two years,2 everyone should be taking online security and identity theft protection very seriously these days.
If you’re a T-Mobile hack victim, on the other hand, there are a few steps you should consider taking immediately to mitigate the damage at ground zero and batten down the hatches on your personal details moving forward.
1. Put a Freeze on Your Credit. Now.
Freezing your credit isn’t daily digital hygiene, but if your SSN just got hacked, you should do it now. If you don’t, any criminal who gets their hands on it can literally apply for a credit card or a loan in your name. You know where that story is going.
Credit freezing is actually pretty easy. Just make sure you’re thorough and contact all three three main bureaus in charge of issuing credit reports: Equifax, Experian and Transunion. And, remember, you’ll need to fill out a separate form with each bureau to put the kibosh on dark web grifters.
Obviously, you won’t be able to make any loans or expensive purchases while your credit is frozen, but you also won’t be buying a four-bedroom villa in Hawaii for a fraudster.
2. Use an Identity Monitoring Service
T-Mobile actually did have the right idea when they steered breach victims to an identity monitoring subscription. Entrusting your personal info (SSN number, driver’s license, even your bank details) to a third party may be a big and scary step — especially for hardened security geeks who use a VPN just to check their email in the morning. However, it does make a lot of sense. Here’s why.
Unlike T-Mobile, ID theft protection providers don’t leave unprotected routers sitting around (which is how, sources say,3 hacker Binns broke in). They take your sensitive data, place it under lock and key, and then watch it closely for any suspicious activity.
In the case of the T-Mobile hack, the minute your SSN showed up on, say, a loan application in Provo, Utah, you’d have gotten an alert on your mobile phone or desktop. If for any reason, you didn’t heed the alert and a grifter actually managed to take that loan out, you’d have recovery assistance specialists at your side to get your money back 24/7. Usually, assistance includes legal fees and even reimbursement of stolen funds.
SSN monitoring is actually a core ID monitoring service and practically all providers offer it in their basic plans. If you’re looking for some trusted industry names, any of these Top Identity Theft Protection Picks is a good start.
3. Consider Triple-Bureau Credit Monitoring
As we mentioned up top, the three major credit bureaus in the U.S. are Experian, Equifax, and TransUnion. These are the folks that keep track of our debts, credit card balances, and bill payments. They’re also in charge of issuing our credit reports.
When something goes sideways with our credit, the big three bureaus will usually catch it. But not always. If a fraudster opens a line of credit in your name (and inevitably fails to pay it off), there’s a chance it might show up on Experian and Equifax’s radar, but not on TransUnion’s. If you placed all your eggs in TransUnion’s basket, you’d never know what hit you — until you tried to open a line of credit of your own, and couldn’t because your credit rating was now worthless.
That’s why triple-bureau credit monitoring is the gold standard, and why we always recommend it.
4. Surf With a Virtual Private Network
The networks we connect to every day are infinitely more hackable than the average telecom giant. A thief would need the IT equivalent of a butter knife to break into your router if it wasn’t protected. Ditto for every single café connection you’ve ever accessed with “cafe1234” for a password. Joining one of those networks naked is more or less inviting crooks to hack your laptop.
You can think of a VPN as your own secure internet tunnel, at home or on the go. (VPN apps work on mobiles, too). You simply flip your VPN on and it runs in the background, encrypting any data you send (via emails, downloads, websites, or apps) from end to end. The best VPNs even come with ad-and-malware-blockers to protect you from the same kind of bad code that tore through T-Mobile.
Just like ID theft monitoring, embracing VPNs can be a big step. If you’re just getting your feet wet with household online security, here are some of the Best VPNs on the market.
5. Use a Password Manager
Once you use a password manager, you won’t ever go back to what you were doing before, which was probably writing your passwords on scraps of paper, or worse — much, much worse — using the same password over and over.
With a password manager, you don’t have to remember anything but a master password for your whole vault. Considering that most Americans have upwards of 150 online accounts,4 that’s a lot not to have to remember. Plus, unlike the typical human passwords (“123456,” “123456789,” “qwerty,” and “password”), password managers generate passwords that actually keep thieves out, not attract them like bloody chum.
The good news here is that most password managers offer relatively cheap subscriptions — from $2.99 to $3.99 per month. Most also have family plans. Some even come bundled in with VPNs. With a premium Hotspot Shield package, for example, you get a 1Password subscription for free.
If you don’t want to shell out for yet another digital subscription, major browsers like Chrome, Firefox, and Safari will remember your passwords for you. Firefox’s Lockwise, for instance, will prompt you to save your username and password whenever you log in to a new account. Contrary to our gut instincts that tell us that saving passwords in browsers is dumb, it’s actually safe. This is Mozilla we’re talking about, after all, not the public library.
Which brings us back to T-Mobile and those 54 million-plus hacked user accounts.
Taking the right precautions — ID and credit monitoring, good password hygiene, even a VPN — can’t prevent data breaches. Hackers will always find a way in if they want to. But smart digital hygiene, coupled with a top-of-the-line ID theft monitoring service, means you’ll never have to wait for that call from T-Mobile to know that your SSN has been compromised. You’ll know the minute it happens.