Hacker who stole T-Mobile customer data “Security was terrible”

The person who hacked the data of 50 million customers on T-Mobile said in a media interview that T-Mobile’s security was terrible.

On August 16 (local time), there was a report on the possibility of data leakage of more than 100 million T-Mobile users. In response, T-Mobile acknowledged the hack, but said it was still investigating the leaked data. After further investigation, it was revealed that the leaked information was the data of 47.8 million customers, and that some users’ social security numbers, driver’s licenses, and T-Mobile account passwords were leaked.

John Beans, a 21-year-old American hacker who immigrated from Turkey a few years ago, stole about 50 million customer data. The way he hacked the T-Mobile system was to exploit a vulnerability hidden in a known Internet address within T-Mobile. He said in July 2021 that he discovered an uncompromised router and used the credentials stored on it to access T-Mobile servers and steal customer information.

Although he did not disclose details of the method, he said he used a simple tool that was open to the public to find the weakness of T-Mobile’s Internet address. After accessing the T-Mobile Washington data center in this way, he said that there are more than 100 servers in the data center, and at first he was embarrassed because he could access too much data. He also said that T-Mobile’s security was terrible, he said, making it possible to access large amounts of data in a relatively simple way.

He said that it took about a week to access the server where tens of millions of customer data was stored, and he stole a large amount of customer data from the server on August 4th. He said it was to get people’s attention as to why T-Mobile was hacked. He often complained that he had been a victim of fake kidnappings by authorities, saying he had no reason to invent such a thing and was expecting more information about the incident to be leaked from within the FBI.

Although he has revealed his motives, it is not clear whether he sold the stolen data or whether he hacked T-Mobile to obtain compensation from a third party. Related information can be found here.