T-Mobile is investigating claims that sensitive information from 100 million users is being sold on the dark web, Motherboard reported, citing contact with the seller and having seen data samples.
The data includes information such as names and social security numbers; phone numbers and physical addresses; driver license details; and unique IMEI numbers, Motherboard reported.
“T-Mobile USA. Full customer info,” the seller told Motherboard in an online chat. The seller added that they “compromised multiple servers related to T-Mobile,” per Motherboard.
The underground forum had a customer data set selling for 6 bitcoin — about $270,000 — packaged with 30 million social security numbers and driver license details, according to the report. The seller allegedly told the news outlet that the rest of the data was in the process of being privately sold.
“I think they already found out because we lost access to the backdoored servers,” the seller told Motherboard, referring to signs that T-Mobile possibly responded to the hack.
Despite losing access to the backdoor servers, the seller allegedly told the news outlet that the data had already been downloaded to local servers.
“It’s backed up in multiple places,” they said.
See also: T-Mobile Hacked, User Data Stolen
T-Mobile said in a statement to Motherboard and other media outlets that the company is “aware of claims made in an underground forum” and it is in the midst of an active probe to scrutinize the “validity” of the allegations.
“We do not have any additional information to share at this time,” said the statement.
The self-proclaimed hacker selling the data reportedly is a member of an international group that had access to the T-Mobile’s systems for two to three weeks until Saturday, according to govinfosecurity.com.
The seller claims that T-Mobile left a Gateway GPRS Support Node (GGSN) exposed to the internet, which was possibly used for testing, per govinfosecurity.com.
“From there we pivoted through several different IP addresses and eventually got access to their production servers,” the person said in an instant message, according to govinfosecurity.com.