What to Do If You're Concerned About the T-Mobile Data Breach

Exposed data includes driver's license info and Social Security numbers. Some simple steps can protect your sensitive information.

T-Mobile sign Photo: David Paul Morris/Getty Images

Cell phone carrier T-Mobile has rolled out new tools, including free identity protection services, to help customers affected by a large data breach. According to T-Mobile, criminals acquired the personal data of almost 50 million consumers.

T-Mobile says preliminary analysis of the breach indicates that the stolen files contained account information from approximately 850,000 T-Mobile prepaid customers and 7.8 million regular monthly customers, as well as more than 40 million records related to former or prospective customers who had applied for credit with T-Mobile, a company spokesperson said in an e-mail to Consumer Reports.

For the prepaid customers, the exposed data included names, phone numbers, and account PINs, the company said. T-Mobile has proactively reset the PINs on those accounts. (No Metro by T-Mobile, former Sprint prepaid, or Boost customers had that info revealed.)

The stolen data on other T-Mobile customers included their first and last names, dates of birth, Social Security numbers, and driver’s license/ID information. However, their phone numbers, account numbers, PINs, passwords, and financial information were not compromised, the company said.

The vulnerability that let criminals gain access to the data has been fixed, according to T-Mobile.

Earlier reporting put the number of affected accounts at 100 million, with the tech site Motherboard reporting that criminals claimed to have accessed and copied data including Social Security numbers and other sensitive data such as the International Mobile Equipment Identity (IMEI) numbers that serve as a phone’s digital fingerprint.

More on Data Security

According to Motherboard, which had seen a sample of the information stolen in the breach, the thieves put a subset of the data up for sale on the web with an asking price of approximately $270,000 in bitcoin, which caught the attention of the site’s editors.

“If it’s true, it’s a treasure trove of personally identifiable information,” says Rick Tracy, chief security officer at Telos, a cybersecurity firm based in Virginia. “This was a lot of data for a lot of customers. Unauthorized access should have triggered an alarm.”

T-Mobile has created a web page with up-to-date information and remedies for consumers. The page does not offer a way to determine whether your account is one of those affected by the breach.

The company said it will offer two years of free McAfee identity protection services to affected customers. T-Mobile is recommending that all postpaid customers proactively change their PINs just to be safe. (See below for details on how to do that.)

The company is also beefing up its Account Takeover Protections in the wake of the breach.

T-Mobile has been hit with five smaller cyberattacks since 2018, the largest exposing some personal information of around 2 million users.

Law firms have filed a class-action suit against T-Mobile in Washington state seeking compensatory damages, reimbursement of out‐of‐pocket costs, improvements to T-Mobile’s data security systems, future annual audits, and adequate credit monitoring.

How to Protect Yourself

There’s no easy way to prevent a thief from using your Social Security number or your driver’s license number, but there are things you can do to limit the impact of having such personal info exposed to criminals.

Freeze your credit. That makes it difficult for identity thieves to open new accounts in your name. It requires contacting each of the three major credit bureaus: Equifax, Experian, and TransUnion.

Because of the ongoing COVID-19 crisis, the bureaus are offering free weekly credit reports through April 20, 2022. Before the pandemic, each offered a single free report annually and charged $20 for additional reports.

You’ll need to lift the freeze temporarily when you want to give a company access to your credit information—say, if you’re applying for a credit card or a car loan, or you want to rent an apartment.

Beef up your password game. While password information doesn’t seem to have been affected by the T-Mobile breach, the company is suggesting that customers change their passwords by logging in to their accounts or calling customer service by dialing 611 on their cell phones, although as of the morning of Friday, Aug. 20, the wait to talk to a representative was 45 minutes.

While using a different password for each account is one of the basic principles of digital security, if you sometimes recycle passwords, you should also change the passwords on other accounts that have the same credentials used on your T-Mobile account.

This might also be a good incentive to start using a password manager, a service that helps you create and store unique, complex passwords for each of your accounts.

Use multifactor authentication. In addition to using strong, unique passwords for every online account, it’s also smart to set up multifactor authentication, often called two-factor authentication.

When you turn on MFA, which is available for financial sites, social media sites, and many others, you need your password plus a second form of ID to log in. That way, if thieves get your password, they still won’t be able to access your account. The most common way to use MFA is probably to have the site send you a text message with a code that you enter into a pop-up box, but security experts say it’s better to use a smartphone app or physical security key. 

Delete unused accounts. Any data breach can serve as a reminder that the more digital accounts you have, the greater the risk of your data being misused or stolen. You obviously can’t delete your cellular account, but you can take some time to locate other accounts that you haven’t used in years. Begin by typing your usernames, old and new, into a search engine and looking for combinations of your name and email address. You can also look for phrases such as “welcome to” or “new account” in your inbox, or look for saved log-ins in your search engines.

For more information on enhancing your digital security, use the CR Security Planner, a free tool that can help you create and save a personalized to-do list.

Editor’s Note: This article has been updated with information about services T-Mobile is offering customers affected by the data breach. The article was originally published Aug. 16, 2021.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed.