T-Mobile has repeatedly experienced data breaches over the years. The carrier announced its latest data breach about two weeks ago. This one resulted in data from 37 million customers being stolen. T-Mobile says that customer information was obtained between November 25, 2022, through January 5, 2023. The data was obtained through a flaw in T-Mobile's Application Programming Interface (API) which is used to allow other computer systems and programs to access and interact with T-Mobile's system.
Stolen data included full names, dates of birth, phone numbers, billing addresses, email addresses, billing account numbers, codes for rate plans and features, and the number of lines on the account. Passwords, social security numbers, and payment methods were not accessed.
As far as I'm aware, previous security incidents at T-Mobile haven't spilled over to their prepaid brands or MVNO partners. However, this incident has impacted Metro by T-Mobile and Assurance Wireless customers. Assurance Wireless is a Lifeline brand that T-Mobile inherited as a result of its purchase of Sprint.
During the past week or so Metro by T-Mobile and Assurance customers have been receiving text messages notifying affected customers of the breach. And about two days ago, Google Fi customers began receiving emails notifying them of a data breach.
Numerous Redditors have posted the email they received from Google Fi which is copied below. Language in the email, namely third-party systems, suggests that intruders gained access to Fi customer information through the T-Mobile API exploit.
"Dear Google Fi customer,
We’re writing to let you know that the primary network provider for Google Fi recently informed us there has been suspicious activity relating to a third-party system that contains a limited amount of Google Fi customer data.
There is no action required by you at this time.
This system is used for Google Fi customer support purposes and contains limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
Our incident response team undertook an investigation and determined that unauthorized access occurred and have worked with our primary network provider to identify and implement measures to secure the data on that third party system and notify everyone potentially impacted. There was no access to Google's systems or any systems overseen by Google.
If you are an active Fi user, please note that your Google Fi service continues to work as usual and was not interrupted by this issue.
What does this mean for me? The accessed information included your phone number and limited technical information. This includes information about when your account was activated, SIM card serial number, account status (for example, whether your plan is active or inactive), and limited details about the mobile service plan and options provided by your Google Fi service (such as unlimited SMS or international roaming). For more information As always, be alert for phishing attempts. For more about best practices, see our advice on how to avoid phishing. Read more about keeping your Google Fi information safe. We’re always here for our customers and available to offer support. If you have any questions or require assistance, please see this Help Center article for contact options and reference issue ID 267187948. Sincerely,
Google Fi Team"
Thus far, no other T-Mobile MVNOs have reported their customers' data has been stolen. However, it may be best to assume that it has as they all likely use the same API either directly or through a third party.
None of the providers impacted have told their customers that they need to do anything specific with their accounts due to the stolen data. However, those who were impacted should keep their eyes out for online phishing attempts designed to gather more information about them and to potentially take over their wireless and other accounts. As always, make sure you are using a strong password with your accounts and keep an eye out for any suspicious activity.