T-Mobile breach climbs to over 50 million people

The breach has sparked lawmaker concern.
People walk past the front of a T-Mobile retail store on August 18, 2021 in Arlington, Virginia. (Photo by Chip Somodevilla/Getty Images)

T-Mobile on Friday announced roughly 6 million additional accounts had data swiped in a recent hack, bringing the total number of victims of the breach to over approximately 55 million individuals.

The revelations come as lawmakers have ramped up scrutiny of the company.

An additional 5.3 million subscriber accounts had addresses, names, dates of birth, and phone numbers accessed, T-Mobile said. The company also found that the data of 667,000 more accounts of former T-Mobile customers, including their names, phone numbers, addresses and dates of birth, had been accessed.

Unlike the first set of customers identified by T-Mobile on Wednesday, none of these additional accounts had their Social Security Numbers or ID information compromised, the company said.


The new findings also reveal that phone data, IMEI and IMSIs were also accessed. IMEIs, which are often used for advertising purposes, are a unique fingerprint for a device that cannot be reset.

The company also noted that up to 52,000 prepaid Metro by T-Mobile accounts may have also been included in the attack. T-Mobile has actively re-sent customer PINs for all prepaid accounts accessed by the hacker. No data from the company’s other prepaid services have been found in the breach.

T-Mobile announced it was investigating the breach on Monday after reports that a hacker had put the stolen data up for sale on the dark web. The hacker claimed to have stolen the account information of more than 100 million accounts.

The breach, the fifth the company has suffered since 2018, has sparked fury from lawmakers and fueled interest on the Hill for more aggressive privacy and data breach notification laws.

“This breach is yet another example of why Congress must pass a national privacy and data security law,” Republicans on the House Energy and Commerce Committee, led by ranking member Rep. Cathy McMorris Rodgers of Washington, wrote in a statement. “We need strong national standards that ensure industries can innovate, strengthen cybersecurity and data privacy, and keep up with the evolving ways bad actors steal personal information.”


The company is also facing a class-action lawsuit requesting unspecified damages and a court order prohibiting the company from keeping personal information on a cloud database, as Motherboard reported.

T-Mobile has expressed confidence that the company has shut off the access point the hacker used to get into its servers.

“Our investigation is ongoing and will continue for some time, but at this point, we are confident that we have closed off the access and egress points the bad actor used in the attack,” T-Mobile stated in its most recent announcement.

Updated 8/20/21: to include information about a lawsuit.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts