top of page

T-Mobile confirms hack as customer data allegedly goes on sale online

Last week, hackers managed to breach some of T-Mobile’s internal servers claiming millions of personal data had been put online for sale.

The company had been criticised for a conflicting statement after a threat actor allegedly put up for sale the personal details of millions of T-Mobile customers on a cybercrime forum on Saturday, August 14.

The hacker’s ad referenced 30 million T-Mobile customers, but in a subsequent interview with news site Motherboard, the individual claimed the data was part of a larger package containing details for 100 million T-Mobile customers.

Further to this, the hacker then posted an online statement of its own, claiming that the breach occurred by gaining access to a T-Mobile GPRS gateway that was allegedly misconfigured.

Last week, in T-Mobile’s initial statement, they confirmed a breach but did not go into any further detail, and refrained from mentioning if customer data had been compromised whilst they validated the claims of the hacker and ran a thorough investigation.

Today, T-Mobile US has confirmed data from 850,000 prepaid customers and over 40 million records of former or prospective customers has indeed been stolen.

In a statement, T-Mobile US confirmed that the breached data includes first and last names, birth dates, Social Security numbers and driver’s license information. However, the company has also said there was no indication of financial details being compromised.

It’s the sixth security breach T-Mobile has disclosed since 2018.

The NCSC has published guidance for individuals and families who may have been affected by data breaches. People can follow their advice to reduce the impact of a breach by taking various actionable steps.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page