T-Mobile Says Hacker Used Specialized Tools, Brute Force

T-Mobile said a cyberattack earlier this month that exposed millions of customer records was carried out using specialized tools to gain entry to the network, followed by brute force-style hacking techniques to access user data. From a report: "In short, this individual's intent was to break in and steal data, and they succeeded," Chief Executive Officer Mike Sievert said Friday in a statement, the company's fullest account yet of what happened. The company has hired cybersecurity provider Mandiant and consulting firm KPMG to improve its defenses, he said. The breach, the fourth that has compromised T-Mobile customer records in as many years, involved personal information including names, dates of birth, Social Security numbers and driver's license information. Sievert said the company is working with law enforcement and can't share further details of what happened. Further reading: T-Mobile Hacker Explains How He Breached Carrier's Security.

John Binns

[rsliverguns]

a 21-year-old stole private information(mine included) and having no ethics/morals, leaked and sold it for Fame and Profit. And is now doing interviews and laughing all the way to the bank?

Yea I know T-Mobile is at fault for weak security. But this guy is scum of the earth.

Re:

[oldgraybeard]

working hard?

Re:

[oldgraybeard]

John Binns (Score:5, Insightful) by oldgraybeard ( 2939809 ) on Thursday August 26, 2021 @10:29PM (#61733855) a 21-year-old stole private information(mine included) and having no ethics/morals, leaked and sold it for Fame and Profit. And is now doing interviews and laughing all the way to the bank? Yea I know T-Mobile is at fault for weak security. But this guy is scum of the earth.

Security costs money

[oldgraybeard]

and the C-Suite rarely spends money on anything but themselves. Oh wait! the suits re outsourced security. It will work this time! trust us!

Re:

[Ritz_Just_Ritz]

The class war BS aside....leadership will need to take accountability. While I suspect that things aren't much better at other providers, this would definitely make me think twice about using T-MO as a mobile carrier. Vote with your feet.

Re:

[oldgraybeard]

"leadership will need to take accountability." ah "leadership" and "accountability" all in the same sentence.
May have worked on the 1st, 2nd, 3rd times but now? They'll fire some tech workers and low level management, give themselves all raises for being being so "Leaderly".
Rinse, Repeat, Rinse, Repeat ... ...

where is the leadership?

[ceg97]

CEO Siever need to sack his entire security team and get some competent people. This "Oh well we did our best attitude" is not be acceptable.

Hacker used specialized tools ?

[takionya]

" Binns said he broke through the T-mobile defenses after discovering an unprotected router exposed on the internet, after scanning the carrier's internet addresses for weak spots using a publicly available tool," reports Axios.

"I was panicking because I had access to something big," he wrote in Telegram messages to the Journal. "Their security is awful." "Generating noise was one goal,"

What is NMAP [nmap.org]

What is NCAT [linuxtechi.com]?

Re:

[140Mandak262Jamuna]

These are the specialized tools according to T-Mobile?

Was T-Mobile Chief Infotech Security Officer a music major by any chance?

More importanly

[bobstreo]

If my data was stolen, how much is T-Mobile going to pay me?

I really don't want or need credit monitoring. I want a few K cash.

Re:

[BAReFO0t]

Well, how many dollars are going to put your data back in the box?

(That's a rhetorical question. No amount of money will. This is the wrong box to think in, and the wrong path to walk down. And in any case, even if you leave your home's door wide open, it's still the thief who was doing the crime, not you. So I suggest catching the thugs, and making them undo the damage. Even if it takes the rest of their lives.)

"broke through the T-mobile defenses"

[oldgraybeard]

Just to funny! oooo broke through the T-mobile defenses lol
Someone @ T-Mobile(or a contractor) screwed up an access rule and the management oversight in their IT Security Policy was "not" being followed so no one up the chain found it during any of the security reviews. If they were bothering to do security reviews?
Plain and Simple. Bad IT management.

Re:

[BAReFO0t]

Yeah, it's a biiit more complex than that.

Everything is easy, if you leave away the details. And hindsight is always 20/20.

At best, you can attribute it to how much the employees there gave a shit. which is directly dependent on how they were paid. Which is half-directly dependent on how much you paid. (The other half is profit/greed.)
There, you could make a better point.

Social Security Numbers? Really?

[filesiteguy]

I'm still shocked TMO stored SSN information unencrypted and in the same tables as the other data.

sad

Even worse

[raymorris]

What's even more crazy is that we're still acting like social security numbers are secret. Pretending that if you know someone's social security number, that proves you are that person. THAT is why anyone cares if social security numbers get leaked - because someone else is going to treat an SSN as if it's an authenticator, a secret. It's not.

Some bank or credit card company will give you money after an online application. They'll send you a credit card and expect that Bill Smith will repay it. They know i

Re:

[BAReFO0t]

And the entire rest of the world is shocked that you use SSN as authentication codes, and don't even have passwords to accompany them.
Seriously, you always complain about "evil totalitarian" demands of you having just a government ID number or passport number, but in practice, you already do. Just with the added insanity of companies somehow acting like it's more than just a number and can authenticate people or something.

It's seriously time to change that status quo. Especially if you're a business. Take s

Hmmmm

[Lost Penguin]

Had physical access, rebooted into the bios and reset the admin password? /s