Group Claims GGSN Misconfiguration Led to 100 Million User Accounts
T-Mobile USA says it is investigating a claim that as many as 100 million accounts may have been compromised in a data breach.
See Also: Top 50 Security Threats
Some of the data, around 30 million Social Security and driver’s license numbers, has been put up for sale on a well-known forum for trading stolen data. The price is six bitcoins, or around $286,000.
The person who is claiming to have breached T-Mobile says he is part of an international group that had access to the company’s systems for two to three weeks until Saturday.
The person claims that T-Mobile left a Gateway GPRS Support Node, or GGSN, that was apparently used for testing exposed to the internet. GGSNs are part of the core infrastructure that connect mobile devices to the internet.
“From there we pivoted through several different IP addresses and eventually got access to their production servers,” the person says in an instant message.
Eventually, the group accessed more than 100 servers by brute forcing and using credential stuffing on internal T-Mobile servers, most of which were Oracle databases. None had rate limiting enabled.
“Everything was stolen,” the person says.
The data includes names, addresses, phone numbers, driver’s license information, phone numbers and IMEI numbers, which are unique mobile device identifiers. It also includes International Mobile Subscriber Identity (IMSI) numbers and security PINs, the person claims.
The suspected breach was first reported by Vice’s Motherboard, which writes that it confirmed that a sample of the data belonged to T-Mobile users.
A T-Mobile spokesperson says: “We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.”
Data for Sale
The data was advertised on a well-known forum for selling and trading stolen data. The advertisement, however, does not mention T-Mobile. The post contains sample data for nine people.
The person would not say whether the Social Security and driver’s license numbers had been purchased yet. Also, the person says the group has received “multiple” offers for the full data but not whether it has been sold.
In July, the seller posted an advertisement for phone data pertaining to 833 million users and visitors to China. The data purportedly contained phone numbers plus IMEI and IMSI numbers. The cost was $2,000, but it’s unclear if the data was actually sold.
In November 2020, the person released data that contained taxpayer ID numbers for people and businesses in Brazil. When asked, the person wrote that the data came from an open Elasticsearch server.
Elasticsearch is an open-source platform for storing and querying data. By default, Elasticsearch clusters are not publicly accessible. But the clusters can be rolled out in a misconfigured manner, leaving data open on the Internet.
The Brazilian data was released for free because no one wanted to buy it, the seller wrote.
Several Data Breaches
T-Mobile, which is one of the top three mobile providers in the U.S., has had several breaches over the past few years.
In December 2020, T-Mobile notified about 200,000 customers of a data breach that occurred earlier that month. The data came from its customer proprietary network information, or CPNI, database. It included phone numbers, the number of lines a customer subscribed to and call-related information (see T-Mobile Alerts Customers to New Breach).
More than 1 million accounts were impacted by a breach in 2019 after someone accessed data related to prepaid wireless accounts. The exposed data included names, billing addresses, phone numbers, account numbers, rate plans and other details, such as if a person subscribed to international calling (see T-Mobile Says Prepaid Accounts Breached).
In 2018, up to 2.3 million accounts may have been affected by a breach that involved access to an unsecured API. T-Mobile said that it detected the attack quickly but still resulted in the loss of names, ZIP codes, phone numbers, email addresses, account numbers and whether the accounts are prepaid or postpaid (see T-Mobile Database Breach Exposes 2 Million Customers’ Data).