New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Threat Actors Claims to Be in Possession of a Large T-Mobile Data Cache

Researchers at Motherboard discovered a threat actor claiming to be selling a portion of T-Mobile’s customer data, including information of approximately 100 million customers, for around $277,000. When initially coming across the post it was unclear which company the data belonged to. Through talks in a private chat, the threat actor revealed the data belonged to T-Mobile, and they claimed that they were able to acquire it by compromising multiple T-Mobile servers. “I think they already found out because we lost access to the backdoored servers,” said the unidentified threat actor, but they claim it will not affect their operation as they’ve already extracted the data and have it downloaded. They claim to have information such as social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver license information. T-Mobile has not officially confirmed the claims made by the supposed attacker, however they said “We are aware of claims made in an underground forum and have been actively investigating their validity.” We do not have any additional information to share at this time.” If a breach is confirmed, this will be the third time the company has been targeted since December 2020.

Analyst Notes

Although the attack has not been confirmed, T-Mobile customers are advised to be vigilant when it comes to monitoring their credit reports since Social Security Numbers may have been compromised. Any suspicious activity should be reported to the proper entities. Since the attack vector is not yet known, it is hard to tell what may have gone wrong with security on the allegedly affected servers. With the threat actor claiming it was a backdoor that allowed them access to the servers, it is important to remember that Multi-Factor Authentication (MFA) with strong, non-recycled passwords should be used, updates and patches to software should be implemented as soon as possible, critical servers should be monitored for any unusual activity.