T-Mobile Denies Data Breach, Leaked Database Belongs to Authorized Retailer

T-Mobile has denied suffering another data breach following reports on Thursday night that a threat actor leaked a large database allegedly containing T-Mobile employees’ data.

The mobile carrier informed us that the leaked data is believed to belong to an authorized retailer who experienced a breach earlier this year.

“There has not been a T-Mobile data breach. The data being referred to online is believed to be related to an independently owned authorized retailer from their incident earlier this year. T-Mobile employee data was not exposed,” T-Mobile told us.

Last night, an individual using the alias ’emo’ shared an 89 GB ZIP archive on the BreachForums hacking forum, claiming that it contains T-Mobile data and is related to Connectivity Source, a third-party authorized retailer for T-Mobile. However, the post suggests that the data was stolen from T-Mobile itself.

In April 2023, T-Mobile suffered a data breach exposing sales data/analytics, T-Mobile support calls with customers, employee credentials, partial SSNs, email addresses, and customer data,” reads the forum post.

The archive posted on the hacking forum contains a significant amount of data, including employee IDs, employment status, hire dates, termination dates, rehire dates, job titles, department, names, the last four digits of social security numbers, and email addresses.

The data also appears to include information about customer orders and their plans.

The malware repository VX-Underground was the first to share information about the data leak in tweets [1, 2], describing it as a result of a T-Mobile breach.

“T-Mobile has been breached (again). Data has been exfiltrated and it is being shared online (again). This is T-Mobile’s 8th breach since 2018,” reads tweets from VX-Underground.

As T-Mobile has a history of repeated data breaches, experiencing nine breaches since 2018, with two already in 2023, it is easy to assume that it suffered another breach.

Likely Linked to Connectivity Source Breach

However, this data breach is believed to be related to Amtel, LLC, an authorized T-Mobile retailer operating under the Connectivity Source brand, which previously disclosed a breach earlier this year.

In May 2023, Amtel warned that they suffered a data breach on April 19th, which allowed attackers to steal data belonging to current or former employees of the company.

“On April 19, 2023, Amtel was notified of suspicious activity in its network environment. Upon discovering this incident, Amtel promptly engaged a specialized cybersecurity firm to secure its environment and determine the nature and scope of the incident,” reads the Amtel/Connectivity Source data breach notification.

“While the investigation is ongoing, Amtel determined that the incident involved limited personally identifiable information (PII) on the same day.”

Although it has not been confirmed if the data released on BreachForums is the same as the data breach disclosed by Amtel, the dates align, making it highly likely.

We contacted Connectivity Source regarding the publication of its stolen data last night but did not receive a response to our email.

The good news is that this data does not contain customer data, and Amtel claims that only 17,835 current and former employees were affected by the breach.

However, this data is still valuable for threat actors, who could use it to send targeted phishing emails to Connectivity Source employees, gaining access to support systems or carrying out SIM swapping attacks.

Therefore, all Connectivity Source employees should remain vigilant and verify the legitimacy of any suspicious emails before taking any action.