T-Mobile has confirmed a data breach has affected a subset of its customers, with additional reporting from TechCrunch putting that figure at an estimated 1M+ accounts (or so). In other words, this is a big breach, but you shouldn’t freak out. Don’t ignore it, but don’t get nervous.
As T-Mobile wrote in its public disclosure:
“Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities. None of your financial data (including credit card information) or social security numbers was involved, and no passwords were compromised.
The data accessed was information associated with your prepaid service account, including name and billing address (if you provided one when you established your account), phone number, account number, rate plan and features, such as whether you added an international calling feature.”
Here’s the good news. Since the “rate plan and features” bit requires T-Mobile to notify those affected, if you haven’t heard anything yet from the carrier, odds are good that you’re in the clear. It’s also possible that you don’t have the correct contact information associated with your account for T-Mobile to notify you, so it’s worth double-checking that in your account settings to be sure. If you’re paranoid, you can always call T-Mobile’s customer service number (611 on a T-Mobile phone) to confirm that your account is or is not affected.
If you did receive a notification, which means your data is wrapped up in this mess somehow, hope isn’t lost. First off, the data stolen isn’t especially damning, since the attackers didn’t get their hands on more critical information like your payment details, passwords, or social security number.
What they did steal could only likely be used to impersonate you, either at T-Mobile or on another service where someone knows you have an account. And there’s no guarantee that having your phone number or billing address would be enough to convince a customer service agent that they are you; these are pieces in a larger puzzle, but probably not serious enough to stress about. (And besides, it’s not like you can just change your address, nor should you go through the hassle of changing your primary phone number.)
What can you do in the meantime? If you’re nervous, consider setting up a password or a PIN with T-Mobile. That way, whenever you (or anyone trying to be you) contacts customer support, they’ll have to provide this specific information in order to proceed.
And make sure you don’t forget this PIN or passcode, or else you’ll probably have to go to a T-Mobile store in person to verify you are who you say you are if you’re having any issues with your account. According to T-Mobile, “Unless we can verify the caller’s identity through these methods, our policy is not to release any account specific information over the phone.”