Mastodawn

BrianKrebs Jan 20, 2023

T-Mobile says its customer records have been pillaged yet again. In a filing with the SEC, T-Mobile said it learned on Jan 5 that a "bad actor" abused an API to harvest names, billing addresses, phone numbers emails, dates of birth and T-Mobile account numbers on 37 million current postpaid and prepaid customers.

Perfect timing, too. There are only a few more days left for T-Mobile customers to claim their $25 or possibly more for T-Mobile's settlement from the breach last August, when they exposed similar data on at least 40 million current and former customers.

And to think this data was exposed despite T-Mobile saying as part of its settlement from last year's breach that they were going to invest $150 million into their own security infrastructure.

https://www.sec.gov/ix?doc=/Archives/edgar/data/0001283699/000119312523010949/d641142d8k.htm

https://www.cnet.com/tech/mobile/another-data-breach-has-hit-t-mobile-impacting-37-million-accounts/

Inline XBRL Viewer

T-Mobile: We'll never raise the price of your existing contract, but we'll continue leaking your data for as long as you're a customer, and then some.

BrianKrebs Jan 20, 2023

Okay, I should have led with this, from their 8k. My translation follows.

"As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program."

Didn't we say this was going to take a long time? Sheesh.

"We may incur significant expenses in connection with this incident."

We might have to pay some small percentage of customers who go through all the trouble of filing a claim to claim a measly few bucks. But in no way will this figure come close to a significant fraction of what we earn in a quarter.

"Although we are unable to predict the full impact of this incident on customer behavior in the future, including whether a change in our customers’ behavior could negatively impact our results of operations on an ongoing basis, we presently do not expect that it will have a material effect on the Company’s operations."

This is probably the only true statement in the 8k.

BrianKrebs Jan 20, 2023

Just FYI, T-Mobile made about $20 billion in the most recent quarter. Or, as one British investor site put it, $19701 million.

BrianKrebs Jan 20, 2023

..aaaaand here's my take on it.

https://krebsonsecurity.com/2023/01/new-t-mobile-breach-affects-37-million-accounts/

Thank you @hackdefendr for the excellent image.

New T-Mobile Breach Affects 37 Million Accounts – Krebs on Security

Apicultor 🐝Jan 20, 2023

@briankrebs @hackdefendr >The company said it first learned of the incident on Jan. 5, 2022, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022.

Do you mean Jan 5 2023?

BrianKrebs Jan 20, 2023

@apicultor @hackdefendr yes typo thanks

AlisonW ♿🏳️‍🌈♾️Jan 20, 2023

@briankrebs
A 'billion' here used to mean a million million (1,000,000,000,000) so they're just ensuring clarity.

Berkubernetus Jan 20, 2023

@briankrebs also, a lot of folks who don't think they're using Tmobile are using Tmobile. They have the most resold network in the world; Google, Mint, Metro, and many others are using Tmobile. So their shoddy security affects a lot of people who don't necessarily know it.

0bondo7 Jan 20, 2023

@briankrebs those British investors are hard to read

FluffyCowBird ✅Jan 20, 2023

@0bondo7 @briankrebs It doesn't help that they have all thouse useless Us in sou many of their wourds.

ES Jan 20, 2023

@briankrebs okay I know not the point but is it me or does 19701 million sound bigger than 20 billion and is that how we should be writing it for emphasis?

FluffyCowBird ✅Jan 20, 2023

@es @briankrebs

British maths is (are?) different from US math in regard to such numbers, as are Spanish numbers. In Spanish, we say the equivalent of "thousand million" where it would be "billion" in the US.

In Spanish, "un billón" would be what we would call "a trillion". The difference is in how we distinguish the "levels" of -illions. This is the difference between the "long scale" and the "short scale" for numbers greater than 1,000,000. In the US, we use the "short scale".

In the US, I think most of us picture it like this: million, then billion, then trillion, etc., all follow each other in a sequence, with each having three more zeros then the previous one.

In many other countries, million is followed by thousand million, and THEN billion, then thousand billion, THEN trillion, etc. In other words, "un billón" is "a million millions", if that makes sense.

It's super interesting (to me) to note this kind of funky cultural micro-difference that is so easily overlooked until one day it hits you in the face.

Also, for the levels between the -illions in communities that use the "long scale", they often name the thousand-million type numbers using the same root, but different endings, with -illiard instead of -illion. So, million, then milliard, billion, then billiard, trillion, then trilliard, etc., if you didn't want to say "thousand million" and such.

And no... I just looked it up, and I'm sorry to say: this is NOT where the name for the game "billiards" comes from!

Sources:
https://en.wikipedia.org/wiki/Long_and_short_scales#Current_usage
https://www.etymonline.com/search?q=billiards

#SpanishTeacherFacts #DeNada #LongScale #ShortScale #MathsNotGross

Long and short scales - Wikipedia

ES Jan 20, 2023

@FluffyCowBird @briankrebs This is the coolest and most informative social media response I've ever had the pleasure of receiving. Thank you FluffyCowBird.

FluffyCowBird ✅Jan 20, 2023

@es @briankrebs

Well, shucks!

Coupled with a seventh-grader saying on the way out of the classroom the other day, "I liked today's lesson!!" I am going to call this week a bit early, for the Win column!

I know I'm jinxing it and am probably going to have lots of tech issues now on our learn-from-home non-Snow-Day day tomorrow, but I'll take the gamble.

SeaPride67 Jan 20, 2023

@briankrebs Given $20B from 260M million subs (about $77 per) these companies don’t see this as a big deal. Also, “good actor” pays for access to subscriber data while “bad actor” chooses to steal it.

Jose Galaviz Jan 20, 2023

@briankrebs The reason, besides pettiness, is that US "billions" are idiotic. A billion is a million millions everywhere else.

Graham Sutherland / Polynomial Jan 20, 2023

@briankrebs if that isn't a scathing indictment of the state of regulatory fines, I don't know what is.

AlisonW ♿🏳️‍🌈♾️Jan 20, 2023

@briankrebs
A spokesperson added "blah blah blah, we're making so much money off you users that we really don't care what you think. Inertia means people tweet their anger but don't actually change the company they do business with."

RevJeber Jan 20, 2023

@briankrebs
Life is full of trade-offs. 😏

bls Jan 20, 2023

@briankrebs Digital storage. The gift that keeps on giving

Mark Hunt Jan 20, 2023

@briankrebs I was a customer for 7 years and suffered through at least 3-4 data breaches during that time before I finally switched carriers. Might as well add "free credit monitoring" to their T-Mobile Tuesdays offering.

Mariya Delano Jan 20, 2023

@briankrebs I think I might be switching carriers after this….

Jeff the Alien Jan 20, 2023

@briankrebs best I could do in short time.

BrianKrebs Jan 20, 2023

@hackdefendr Permission to steal (with credit?)

Jeff the Alien Jan 20, 2023

@briankrebs absolutely.

Jeff the Alien Jan 20, 2023

Here is the custom ink link in case you want to make a real shirt.

https://www.customink.com/designs/tmobilelk/qxx0-00cq-16aq/

Custom Ink Design 'tmobilelk'

Create, save, share, or order your own products at CustomInk.com

CustomInk.com

ThatKomputerKat

@briankrebs meanwhile websites that use authy for their 2FA service: we won’t let you use a Google voice number as alt even if you can tie it to a device side 2FA key, but we’ll gladly take your TMobile number.

https://authy.com/blog/do-not-use-your-google-voice-number-for-two-factor-authentication/

Security Notice: Google Voice for 2FA - Authy

This is a quick alert. Over the past few months we’ve seen a large amount of accounts being compromised on several of our clients sites. All of them had Two-Factor Authentication. How were they hacked then? Simple. First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the … Continue reading "Security Notice: Google Voice for 2FA"

Authy

ThatKomputerKat

@briankrebs can’t set up 2FA on twitch without using my cell number as an alt/backup. I just want a fucking qr code to scan into google authenticator. I can handle backup.

I hate Twilio. Went though a whole back and forward on twitch support that took over a month while the person on the other end dug into why the system didn’t want to take a google voice number.

WaveFunction Jan 20, 2023

@briankrebs recommendations for alternatives?

BrianKrebs Jan 20, 2023

@wavefunction Yeah, wouldn't it be great to be able to use our phones....without the phone companies?

WaveFunction Jan 20, 2023

@briankrebs I mean, I’m not crazy on running my own SIP server somewhere. Or paying for a landline. 😕

icefyre Jan 20, 2023

@briankrebs the nice thing about being a T-Mobile customer is that you don't have to worry about them breaching your data. Every piece of data they have on their customers has already been breached a dozen times over! I wish they would make the identity protection subscriptions they give transferable so that we can pass them on to others who don't have subscriptions from their many MANY prior breaches. Better yet, they should give us a free annual subscription to HBO Max instead!!!