T-Mobile spills billing information to other customers

Some T-Mobile customers logged into their accounts on Wednesday to find another customer’s billing and account information showing on their online dashboards.

T-Mobile denied there was an attack, but confirmed there had been a data leak. It said a “temporary system glitch” had misplaced some subscriber account information, causing it to appear on other subscribers’ profile pages.

“There was no cyberattack or breach at T-Mobile. This was a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved.”

Given the great number and the nature of the complaints on social media, one might suspect that T-Mobile is underplaying or underestimating the situation. Some users said they could access the information of several other subscribers and that they had complained about the issue before.

Multiple users who reported the issue online said they were seeing the same alternate account as others. These T-Mobile app users discovered that thei Bill tab was displaying someone else’s account information, and allowed users to view and access the bill pages and profile settings of other customers.

To worsen the problem, some users started changing the information they saw, believing they were correcting errors in their own details. Many payments were made on these accounts as well. This was likely also done by users unaware of the fact they were accessing someone else’s account.

The exposed information included customers’ names, phone numbers, addresses, account balances, and the expiration dates and last four digits of credit cards.

Victims should monitor their credit reports and be on alert for scammers using leaked information to trick them into giving up additional information, like bank account credentials.

Credit card companies have sophisticated fraud detection and alert systems. One way to be alerted to possible fraudulent activity on your account is to opt in to text message, call or email alerts. When you discover a fraudulent charge, call your credit card issuer right away to report the unauthorized charge. In most cases, if you report suspected fraud right away, you will not be liable for any unwanted charge, no matter the amount.

We will keep you posted here if more information about the issue becomes available. So, stay tuned!

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Don’t become a victim of identity fraud. Keep your identity, finances, and devices safe by using Cyrus.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.