A hacker claims to be selling data on over 100 million T-Mobile customers; the company keeps investigating

T-Mobile is investigating claims that it suffered a major data breach in which personal information related to 100 million customers was stolen and is now up for sale. Those claiming responsibility are asking 6 Bitcoin, around $270,000, for a subset of the data that contains info on 30 million social security numbers and driver licenses.

Update (Aug 16): T-Mobile has released the following statement, confirming it’s discovered and closed a security breach. Although unauthorized access to T-Mobile data has now been confirmed, they have yet to determine if personal customer data was part of it. The full statement reads:

“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.

“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.”

According to a Motherboard report, the data comes from compromised T-Mobile servers and includes information on social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses. The publication has verified it contains accurate information on T-Mobile customers.

The sellers advertised the data on an underground forum. They said that T-Mobile had identified the breach and locked them out of the servers. Unfortunately, the stolen data had already been downloaded. “It’s backed up in multiple places,” they said.

T-Mobile has yet to confirm if it was hacked. In a statement to Motherboard, it said: “We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.”

If the report is accurate, the breach would be up there with some of the biggest hacks in history, putting it close to the My Fitness Pal attack of 2018 that saw 150 million user account details stolen. It’s still a long way off the 3 billion accounts impacted by the Yahoo hack of 2013, though.

T-Mobile is no stranger to these sort of incidents. In February, it revealed a data breach after an unknown number of customers were affected by SIM swap attacks, and it suffered another attack in December that exposed customers’ proprietary network information. Going further back, a hack in 2018 compromised 2.3 million customers’ personal information.