T-Mobile's Breach Just Got Much, Much Worse
T-Mobile now says over 40 million former and prospective customers had records exposed, alongside 7.8 million current postpaid subscribers.
Yesterday T-Mobile put a number on the breach it disclosed earlier this week, and the number is bad. A preliminary analysis now shows attackers accessed records belonging to more than 40 million former and prospective customers, plus 7.8 million current postpaid subscribers. That’s not a typo — tens of millions of people, many of whom may not have used T-Mobile in years, just found out their personal data was sitting somewhere it shouldn’t have been.
What got exposed is the stuff that actually matters for identity theft: names, birthdates, Social Security numbers, and driver’s license information. T-Mobile says no financial data — no card numbers, no bank details — was taken, and phone numbers and account PINs weren’t part of this haul either, as far as the company has confirmed so far. Small mercy, but SSNs and DOBs are the real currency for opening fraudulent accounts, so “no financial data” doesn’t mean “no harm done.”
The prospective-customer detail is the weird part
The inclusion of “prospective customers” is what jumps out to me. That means people who applied for T-Mobile service, maybe ran a credit check as part of signing up, and never became subscribers still had their data sitting in a system that got compromised. If you’ve ever filled out a form at a T-Mobile store or online just to get a quote, you may be in this pool. That’s a much bigger blast radius than the usual “current customer database got hit” story, and it’s a good reminder that data collected during a sales funnel doesn’t just evaporate if you walk away.
T-Mobile is offering free identity-protection services to affected customers, which is the standard playbook at this point — practically boilerplate after a breach of this size. It helps, but it’s also worth remembering that identity-monitoring services mostly tell you after something’s gone wrong rather than preventing it. If you’re a T-Mobile customer, current, former, or someone who just requested a quote, freezing your credit with the three bureaus is still the more durable move here. It’s free, it takes maybe twenty minutes total, and it closes the door that SSN-plus-birthdate combos are meant to open.
This is also the kind of breach that tends to grow in the retelling — “preliminary analysis” is doing some work in that phrase. Companies routinely revise these numbers upward as forensic teams dig deeper, so I wouldn’t be shocked if the final tally ends up higher than 40 million once T-Mobile finishes its investigation. Worth keeping an eye on how this develops over the next few weeks, and whether regulators or state attorneys general start asking pointed questions about how a telecom with this many resources let a breach of this scale happen in the first place.