What the T-Mobile breach taught us about multifactor authentication.
In August 2021, T-Mobile confirmed that they had been a victim of a cyberattack that compromised roughly 50 million current, former, and prospective customers. Mike Sievert, CEO of T-Mobile, said the breach primarily exposed some social security numbers, names, addresses, dates of birth, and driver’s license/ID information.
T-Mobile indicated that the bad actor gained access to the sensitive data by leveraging their knowledge of the company’s technical systems alongside specialized tools and capabilities, then used brute force attacks – guessing possible combinations to crack passwords, login credentials, and encryption keys – and other methods to get to the IT servers.
If you believe your data was compromised as part of this breach, we highly recommend changing your password (and any other logins that use the same password) and utilize multifactor authentication (MFA) through a separate application like Authy or Microsoft Authenticator rather than codes sent to the device as SMS message. This serves as an additional layer of protection, putting cybersecurity into the hands of each individual by using something you like (like a password) with something you have (like a code generated by an app) or something you are (like biometrics) to allow access.
The T-Mobile breach demonstrated that attackers are able to masquerade as an account owner and ultimately “hijack” their SIM card or change the ownership of the number. Once the attacker has control of the SIM or number, they can control any authentication messages or code requests to gain access to the account. This type of attack once was only used against high-profile targets but is becoming more common against average individuals due to the use of MFA via SMS message codes.