The U.S. wireless carrier T-Mobile said Thursday that an unidentified malicious intruder breached its network in late November and stole data on 37 million customers, including addresses, phone numbers, and dates of birth.
According to Yahoo, T-Mobile said in a filing with the U.S. Securities and Exchange Commission that the breach was discovered Jan. 5. It said the data exposed to theft — based on its investigation to date — did not include passwords or PINs, bank account or credit card information, Social Security numbers or other government IDs.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” T-Mobile said, with no evidence the intruder was able to breach the company’s network. It said the data was first accessed on or around Nov. 25.
T-Mobile said it has notified law enforcement and federal agencies, which it did not name. It did not immediately respond to an e-mail seeking comment.
The company has been hacked multiple times in recent years. In its filing, T-Mobile said it did not expect the latest breach to have material impact on its operations. But a senior analyst for Moody’s Investors Service, Neil Mack, said in a statement that the breach raises questions about management’s cyber governance and could alienate customers and attract scrutiny by the Federal Communications Commission and other regulators.
Meanwhile, The Social Security numbers and other personal information of about 35,000 PayPal users were stolen in a December credential-stuffing attack, the company said in a Wednesday regulatory filing.
According to documents filed with the state of Maine, the attack occurred between Dec. 6 and Dec. 8 of last year and was discovered on Dec. 20. In addition to Social Security numbers, usernames, addresses, dates of birth and individual tax identification numbers also may have been compromised.
There’s no indication that any financial information was stolen, or that customer accounts were misused, PayPal said. The company’s payment systems were also not affected.
In a statement released to CNET on Thursday, PayPal said it has contacted affected customers and offered guidance on how to further protect their personal information. The company also reset the passwords of all of the affected accounts and is requiring their users to set new ones the next time they log in.
PayPal is also providing those affected with identity theft monitoring services through Equifax for the next two years, In a credential-stuffing attack, cybercriminals bombard online accounts with combinations of user names and passwords, often stolen in previous data breaches, in an attempt to access as many accounts as possible.
That’s a big reason why cybersecurity experts say consumers should always enable two-factor authentication whenever possible. The security measure requires a second form of authentication, like a fingerprint or a code sent to a user’s phone, in addition to a password, protecting a user in the event their password is compromised.
In addition, people should always use long, unique and random passwords for each of their online accounts. Those will be less likely to show up on the lists of passwords used to crack accounts in credential-stuffing attacks.