Not Once, Not Twice — Six Times and Counting
Few companies demonstrate the difficulty of cybersecurity quite like T-Mobile. The wireless carrier has disclosed significant data breaches in 2018, 2019, 2020, 2021, 2022, and 2023, each affecting millions of customers.
The most severe incident, in August 2021, exposed the personal data of over 76 million people — including current customers, former customers, and even prospective customers who had never completed an application.
Timeline of Breaches
2018: 2 million customers had names, billing addresses, phone numbers, and account numbers stolen through an API vulnerability.
2019: Over 1 million prepaid customers were affected by unauthorized access to their account information.
2020: Email addresses and phone numbers of employees and customers were accessed through an attack on an email vendor.
2021: The most damaging breach. Attackers accessed T-Mobile's internal systems and stole data on 76.6 million people, including Social Security numbers, driver's license information, and dates of birth. The attacker, a 21-year-old, later said T-Mobile's security was "awful."
2022: The Lapsus$ group used SIM-swapping and social engineering to breach T-Mobile's internal tools, accessing customer data and source code.
2023: An API vulnerability exposed the personal data of 37 million accounts over several months before detection. Later that year, a separate incident affected around 836 customers through a PIN-related vulnerability.
Why Telecom Data Is Especially Valuable
Mobile carrier breaches are particularly concerning because of what attackers can do with the data:
- SIM swapping — using stolen personal details to convince carriers to transfer a phone number to an attacker-controlled SIM, intercepting 2FA codes
- Porting fraud — transferring numbers to other carriers entirely
- Account takeover — accessing online carrier accounts to view billing details, change settings, or add new lines
- Identity theft — SSNs and driver's licenses from carrier applications are complete identity theft kits
Why It Keeps Happening
T-Mobile's repeated breaches point to systemic issues:
- Rapid growth through acquisition — merging Sprint's infrastructure introduced additional attack surface
- API security gaps — multiple breaches exploited API vulnerabilities that exposed too much data
- Legacy system complexity — telecom networks are massive, complex environments with decades of accumulated technical debt
- Attractive target profile — carriers hold highly valuable PII that commands premium prices on underground markets
What T-Mobile Has Done
After the 2021 breach, T-Mobile committed to spending $150 million on cybersecurity improvements and partnered with Mandiant for long-term consulting. Following the 2023 breach, T-Mobile reached a $31.5 million settlement with the FCC that included specific security improvement requirements.
What You Should Do
If you are or were a T-Mobile, Sprint, or MetroPCS customer:
- Add a PIN and extra authentication to your carrier account to prevent SIM swaps
- Monitor for SIM swap indicators — sudden loss of cell service is a red flag
- Don't rely on SMS-based 2FA — use authenticator apps instead
- Check your credit for unauthorized accounts opened with your stolen SSN
- Search for your exposure on LeakedSource to see which breaches include your data