Unfortunately, dealing with these kinds of breaches is nothing new for the company — or its customers.
T-Mobile has dealt with a string of high-profile attacks in recent years, including a 2021 incident that experts at the time called “the worst breach they’ve had so far.” At the time, full names, dates of birth, social security numbers, information from driver’s licenses as well as unique identifiers for customers’ phones were leaked, which put more than 40 million customers at a greater risk of identify theft.
By comparison, the attack disclosed this week appeared to be less severe. The company said that, based on its investigation to date, “customer accounts and finances were not put at risk directly by this event.”
Even so, T-Mobile customers should strongly consider taking some time to rethink the way they interact with the company. If you’re concerned that your time with T-Mobile — past or present — has left your personal information vulnerable, here are a few things you should consider doing right now.
Change your password and PIN
In notices displayed to customers when accessing their T-Mobile accounts online, the company says account passwords and PINs have not been compromised. Even so, it’s worth taking a moment to make sure your passwords are as strong as they should be.
That’s because the personal information made available through data breaches like these can give an attacker almost everything they need to gain access to your T-Mobile account. And once an attacker has access to one of your accounts, more are likely to follow.
“The data that identity thieves want today tends more often than not to be log-ins and passwords,” said James E. Lee, chief operating officer at the Identity Theft Resource Center. “They want credentials, because that’s what they can use to break into other systems.”
This most recent hack granted access to fewer (and less damning) kinds of customer data than last time, but it could still come in handy to attackers who want to make use of your credit. That’s why personal finance and identity theft expert Adam Levin says affected customers should freeze their credit reports.
You’ll have to contact each of the three major credit bureaus — Equifax, Experian and TransUnion — with your requests, but freezing your credit is completely free, doesn’t affect your credit score and prevents anyone with your personal information (including you) from opening new lines of credit without securely “thawing” everything first.
Lee couldn’t agree more, noting that freezing your credit is “the most important thing you can do that is preventive” and that there’s little downside to it.
Rethink two-factor authentication
If you’re even mildly security-conscious, you might already have two-factor authentication enabled on some of your online accounts — and that’s good thinking. Here’s the rub, though: If you’re concerned your data has been compromised as part of this breach, it might be time to rethink how you use 2FA.
Let’s say an attacker manages to obtain your name, date of birth and address — if they luck out and find your Social Security number and reused password in other data dumps, that might be enough to give them access to your T-Mobile account. If that happens, you could be vulnerable to what’s called a SIM-swap attack, in which the hacker manages to switch control of your phone number to a phone they control.
That’s definitely bad, but what could make it worse is if the verification codes sent by services like Amazon, Twitter and many banks are delivered via text message. In that case, the keys to your online kingdom could be ferried straight to someone else.
One possible fix: Lee suggests using, whenever possible, authenticator apps from companies like Google and Microsoft that live directly on your phone. “Just having the text or the email that goes to the device is not as secure as having that authenticator app,” he said. “We always recommend to consumers that they use that, and to businesses that they offer that.”
Keep monitoring the situation
T-Mobile’s investigation is ongoing, but the company said in today’s filing that the “malicious activity appears to be fully contained at this time.”
Even so, that investigation could turn up new findings so it’s worth staying on top of. In the aftermath of the company’s 2021 data breach, T-Mobile confirmed that the scope of the hack was larger than it had previously reported days after its first public disclosure. In other words, keep a close eye on your account(s) and stay on top of new updates.