T-Mobile has confirmed that the Lapsus$ extortion gang breached its network “several weeks ago” using stolen credentials and gained access to internal systems.
The telecommunications company added that it severed the cybercrime group’s access to its network and disabled the credentials used in the hack after discovering the security breach.
Per T-Mobile, the Lapsus$ hackers didn’t steal sensitive customer or government information during the incident.
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” a T-Mobile spokesperson told BleepingComputer.
“The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value.
“Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
Independent investigative journalist Brian Krebs first reported the breach after reviewing leaked Telegram chat messages between Lapsus$ gang members.
While inside the mobile carrier’s network, the cybercriminals were able to steal proprietary T-Mobile source code, according to Krebs.
T-Mobile hit by multiple breaches in the last several years
Since 2018, T-Mobile has disclosed six other data breaches, including one where hackers accessed data belonging to 3% of its customers.
One year later, in 2019, T-Mobile revealed that it exposed prepaid customers’ data, while in March 2020, unknown threat actors gained access to T-Mobile employees’ email accounts.
In December 2020, hackers also gained access to customer proprietary network information (phone numbers, call records), and in February 2021, an internal T-Mobile application was accessed without authorization by attackers.
In the wake of the August 2021 breach, T-Mobile unsuccessfully tried to stop the stolen data from being leaked online after paying the hackers $270,000 through a third-party firm, per a VICE report.
Last month, the New York State Office of the Attorney General (NY OAG) warned victims of T-Mobile’s August data breach that they’re facing increased identity theft risks after some of their stolen sensitive info ended up for sale on the dark web.
The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) also notified T-Mobile customers earlier this month of an unblockable SMS phishing campaign likely targeting them using info stolen in past data breaches.