So T-Mobile burned you. Again.
The mobile carrier known for its magenta-hued litigiousness is back in the news this week following a massive data breach which put almost 50 million peoples‘ data in the hands of hackers. And, because T-Mobile won’t specify how or when it’s notifying the bulk of affected customers (we asked, repeatedly), it’s up to you to go ahead and slam that digital stable door shut.
On Thursday, T-Mobile published a blog post detailing all the steps its customers should take to lock down their accounts. But before we get into that, it’s worth emphasizing the breadth and scale of what was stolen — along with the havoc criminals can wreak with that purloined data.
T-Mobile claims that, for 47.8 million current and former postpaid customers (along with prospective clients), hackers may have gotten their hands on full names, birthdays, and social security numbers, along with driver’s license and other ID information. For an additional 850,000 prepaid customers, the company says phone numbers and account PINs were also exposed.
That’s bad. With phone numbers, names, and account PINs, hackers have all they need to SIM swap victims’ accounts — gaining control of their phone numbers in the process. That’s even worse, as all types of account password resets are almost always sent to owners’ phone numbers. That means there’s a very real danger that some T-Mobile users could have everything from their social media profiles to their bank accounts fully taken over.
We repeatedly asked T-Mobile when, and how, it planned to notify all customers whose data was stolen in the hack. The company wouldn’t provide any concrete details.
“At this time we cannot add any additional information outside of the press release we posted last evening,” replied a company spokesperson. “While our investigation is ongoing, we shared these initial findings even as we may learn additional facts through our investigation that cause the details to change or evolve.”
In the Aug. 17 press release, T-Mobile only says that it “will be notifying accordingly right away” those accounts whose PINs were stolen. Even if it does indeed do this, that potentially still leaves 47.8 million victims in the dark.
What T-Mobile recommends, and why it’s not enough
In a sign of just how helpful T-Mobile intends to be, the first two recommended steps involve signing up for an identity theft monitoring service and activating T-Mobile Scan Shield — a free service that boasts of futuristic cybersecurity tools like Caller ID.
“We encourage you to complete these actions as soon as possible,” reads the blog post.
If you’re a postpaid customer, T-Mobile says you can turn on something called “Account Takeover Protection service” which is intended to “protect against an unauthorized user fraudulently porting out and stealing your phone number (postpaid only).” If you’re a postpaid customer you should definitely turn this on as it might actually help protect your account. However, a security feature only available to postpaid customers won’t do any good for the 850,000 prepaid customers whose PINs were stolen.
It also won’t do any good for the millions of former and prospective T-Mobile clients who don’t have accounts.
T-Mobile also helpfully suggests people “remain vigilant” and “to be alert for ‘phishing’ emails.”
How to change your T-Mobile account PIN
What you should really, actually do if you’re a current T-Mobile customer is change your PIN. That way, if hackers have obtained your PIN and attempt to SIM swap your phone number, it will be much more difficult for them to successfully do so.
To change your T-Mobile PIN:
Log into your T-Mobile account
Under the MY T-MOBILE drop-down menu, select My Profile > Profile Information
Scroll down, and next to Change PIN select Edit
Enter your new PIN twice, then select Save
That’s it. You’ve now done more to protect yourself than T-Mobile seemingly ever will.