T-Mobile Breach Makes Millions A Phishing Target

Think of all the information your mobile service carrier has about you. Your name and mobile phone number of course. They also have your address, your payment card information (likely), where you normally use your service and where you travel, and a login and PIN for account access. T-Mobile recently suffered a data breach putting millions of customers’ data like that, at risk. To be fair, there may not have been a breach of the information. There was a flaw in a customer service website used by employees.

The problem is that anyone who knows information about the subdomain could have accessed the information. A subdomain is a second “spinoff” website of a main site. If someone knows the name of that subdomain, they can easily access all the information in that T-Mobile customer service database.

The database was not protected by a password or any other type of authentication. That’s how it may have been accessible. And if the information contained in it did end up in the hands of hackers, they could conduct a very targeted phishing campaign with it. That means, they could make email messages (or phone calls) very personalized to a point that even the most eagle-eyed of us couldn’t detect them. Often, this type of targeted phishing is referred to as spear-phishing.

There really is nothing you can do when a company fails to protect your information. However, you can do something to prevent spear-phishing attacks using your information.

Start with social media. Don’t put all the details of your life on it. Be selective about what you share, even if your security settings are strong (and they should be). Consider any information you put on the Internet as available to everyone. Once someone else shares it or captures it, you lose control over it. So, also consider it always on the Internet once you post it.

When using sites such as LinkedIn, try to describe your employment role as vaguely as you can, particularly if you are in a position to perform wire transfers or handle very sensitive information. Accounting and human resources personnel come to mind. Often, hackers will peruse these sites and create very targeted phishing email messages hoping that because they have information that is indeed true about you, you’ll fall for it.

Remember that if you are not expecting to receive and attachment or link, don’t click on it. A common method of hooking users is to send a fake invoice or shipping notification hoping the person receiving it will just click without confirming its validity. Don’t do that. If you’re not expecting it, confirm it first.

T-Mobile has fixed the issue. However, since the site was available for a long period of time (October 2017 till May 2018), it’s unknown if someone did grab it.