At a glance.
- T-Mobile data breach compromises data of millions.
- Cyberattack at PayPal highlights the importance of password security.
T-Mobile data breach compromises data of millions.
Yesterday wireless giant T-Mobile disclosed it suffered a data breach that exposed the data of approximately 37 million of its current postpaid and prepaid customer accounts. Bloomberg reports that the compromised data include names, billing addresses, email addresses, phone numbers, and dates of birth, as well as account numbers and plan details, but no payment info or passwords were accessed. T-Mobile said in a statement, “Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained.” According to the company’s filing with US Securities and Exchange Commission, T-Mobile detected the incident on January 5 and secured its networks within a day, but it’s believed the hacker had access to the network starting on November 25.
Security Week explains that the attackers appeared to access the customer data by abusing a single API entry point, but T-Mobile says the intruders did not breach the company’s systems or network. “Based on our investigation to date, customer accounts and finances were not put at risk directly by this event,” T-Mobile said in the filing. The Wall Street Journal notes that this is the second major breach the company has experienced in the past two years. In 2021 a hacker stole the data of over 13 million active and 40 million prospective T-Mobile customers, and last year the company settled a class-action suit related to that breach for $500 million. T-Mobile says it’s likely the newest breach will be costly as well. A spokesperson from the US Federal Communications Commission stated, “This incident is the latest in a string of data breaches at the company, and the FCC is investigating.”
Cyberattack at PayPal highlights the importance of password security.
Online payment platform PayPal has begun notifying nearly 35,000 users that their data were exposed in a credential stuffing attack. Bleeping Computer reports that the incident occurred between December 6 and December 8, and PayPal worked swiftly to mitigate it and launch an investigation. By December 20 the company confirmed that unauthorized third parties had used stolen credentials to log into accounts, but there was no evidence of a breach of the company’s systems and it was determined the credentials had been acquired by some other means. The potentially compromised data include account holders' full names, dates of birth, postal addresses, Social Security numbers, tax IDs, and payment info. The company informed the impacted users, “We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account.”
An attack of such scale and visibility has elicited commentary from security experts. Baber Amin, the COO of Veridium, told PCWorld that companies like PayPal need to do more to protect user data. “As trusted vendors, PayPal and others need to set a higher bar here.” Amin suggests companies should rigorously monitor their systems for suspicious behavior (like a high volume of failed login attempts, a telltale sign of a credential stuffing attack), actively encourage users to use two-factor authentication, and “eliminate passwords from their user-facing systems by fast tracking FIDO Passkey adoption.” Dr. Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, told Forbes he questions "why MFA authentication is not enforced by default for such a sensitive service as PayPal." Jasson Casey, chief technology officer at Beyond Identity, says perhaps it’s time to do away with passwords entirely, claiming that “passwords - whether unique or complex - are fundamentally flawed." Casey suggests organizations should be moving to phishing-resistant credentials like FIDO Alliance standard blueprints.