The personal data of 2.3 million T-Mobile customers may have been exposed and could be up for sale following a data breach on Aug. 20. While the company did say it successfully blocked the attack and no credit card information, social security numbers, or passwords were compromised, other personal data may have been accessed.
The type of information believed to have been exfiltrated by the hacker ranges from customers’ names, phone numbers, zip codes, and email addresses to account numbers and whether or not the accounts were prepaid or postpaid.
“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” reads the official T-Mobile statement. “We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.”
However, a security researcher claiming to have had access to some of the stolen data says hashed passwords may have also been stolen, which could place account owners at risk. While there’s no official statement regarding the encryption algorithm used to hash the passwords or whether they were salted, the fact that hashed passwords may have been exposed even though T-Mobile’s statement says that “no passwords were compromised” is troubling.
Some security experts believe the exposed data could be used to affect T-Mobile user accounts, by allowing attackers to perform social engineering schemes that result in SIM hijacking attacks. This is particularly concerning as two-factor authentication could easily be bypassed if attackers manage to reroute phone calls to SIM cards that they control.
Customers that may have been affected by the breach have or will soon be contacted by the company.