The 21-year-old hacker who broke into T-Mobile’s servers and stole personal records for more than 50 million people says the company’s “awful” security made it easy — and that he did it for attention.
“Generating noise was one goal,” hacker John Binns gloated in an interview with The Wall Street Journal. “Their security is awful.”
Binns broke into T-Mobile’s servers earlier in August, stealing data on more than 54 million current, former and prospective customers, according to T-Mobile.
While some customers had social security numbers and birthdays exposed, others had unique phone-linked data like IMEI and IMSI numbers stolen — which other hackers could use as a starting point to take over victims’ phone lines, according to the Journal.
Binns — who goes by screen names including IRDev and v0rtex — would not tell the paper whether he been paid to execute the hack or had sold any of the stolen data. He also would not say whether he worked alone.
T-Mobile did not immediately reply to a request for comment on the report. The Federal Bureau of Investigation’s office in Seattle is reportedly investigating the hack.
Binns, an American who grew up in northern Virginia who moved to his mother’s home of Turkey at age 18, said that he accessed T-Mobile’s servers after discovering an unprotected router exposed on the internet. He then reportedly used the router as an entry point to breach T-Mobile’s data center in Washington state and made off with the stolen data around Aug. 4.
“I was panicking because I had access to something big,” Binns said.
As evidence of his involvement, Binns showed the newspaper that he had access to an account that had shared screenshots of T-Mobile’s internal systems.
Glenn Gerstell, a former general counsel for the National Security Agency, told the Journal that Binns’ description of T-Mobile’s security system was concerning.
“That to me does not sound like good data management practices,” he said.
Binns also claimed that he was being persecuted by US authorities, telling the Journal without corroboration that he had been abducted in Germany and put in a fake mental hospital.
“I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he said.
The news comes just one day after President Joe Biden convened a summit of top tech and business leaders including the CEOs of Amazon, Apple, Google and JPMorgan to discuss cybersecurity issues.