from the you'r-e-not-very-good-at-this dept
U.S. wireless company T-Mobile hasn’t had what you’d call a stellar track record on privacy or security. Last year, the company was forced to acknowledge that hackers had obtained the personal details (including social security numbers) of more than 53 million T-Mobile customers, the sixth time the company had been meaningfully compromised in as many years.
Last week, the company was forced to acknowledge that the Lapsus$ hacking group stole T-Mobile’s source code in a series of breaches that took place in March. While no consumer data was obtained (that we know of; these breaches always wind up being much worse than originally acknowledged), hackers obtained source code on numerous company projects thanks (in part) to human engineering:
The logs indicate LAPSUS$ had exactly zero problems buying, stealing or sweet-talking their way into employee accounts at companies they wanted to hack.
Several teen members of the group were arrested in London last month. The group was one of several hacking organizations that had easily targeted T-Mobile to engage in SIM swapping or SIM hijacking, the act of bribing employees to help them port a user’s cell number right out from beneath them, opening the door to all kinds of surveillance and identity or cryptocurrency theft.
SIM hijacking has become a big enough problem in recent years to gain the attention of prominent lawmakers like Senator Ron Wyden. Though this only occurred after years of consumer complaints and several major lawsuits against T-Mobile by major cryptocurrency investors who say they lost millions to the scams.
Public Telegram chat logs (a major reason for the group’s unraveling) document how it obtained T-Mobile VPN credentials, had access to numerous T-Mobile employee accounts and Atlas, a powerful internal T-Mobile tool used for managing customer accounts. The group also (unsuccessfully) tried to use their access to compromise T-Mobile accounts associated with the FBI and Department of Defense.
While again, this didn’t include the group gaining access to consumer accounts (that we know of), it’s still an ugly look for T-Mobile, and likely could have set the stage for other, successive intrusions. Granted this is all before mentioning that T-Mobile has also repeatedly made headlines over the last few years thanks to its over-collection of consumer location data it similarly failed to adequately secure.