T-Mobile's Breach Just Got Worse — Now It's Your Device's Turn
T-Mobile disclosed that attackers also grabbed IMEI and IMSI numbers, pushing the total affected past 76 million.
Just when it seemed like T-Mobile’s breach disclosures had plateaued, the company came back yesterday with an update that makes things worse. On top of names, birthdates, Social Security numbers, and driver’s license details, T-Mobile now says attackers also got their hands on IMEI and IMSI numbers — the unique identifiers baked into your phone’s hardware and SIM card. The total number of people affected has climbed to roughly 76.6 million, spanning current, former, and even prospective customers who never signed a contract.
If you’ve been following this story since Monday, the pattern is clear: every new disclosure has been bigger and more granular than the last. First it was “we got breached.” Then it was “tens of millions of records.” Now it’s “also, here’s the ID number tied to the physical device in your pocket.” That’s not a great trajectory for a company trying to project control over the situation.
Why IMEI and IMSI matter. These aren’t like a leaked email address you can just change. An IMEI is a permanent serial number stamped into your phone at the factory; an IMSI is tied to your SIM. Together they’re used by carriers (and law enforcement, and occasionally less scrupulous actors) to identify and track a specific device on a specific network. In the wrong hands, they’re a building block for SIM-swap attacks and more targeted device-level fraud — not the kind of thing you can rotate the way you’d change a password.
Combine that with the SSNs and driver’s license numbers already confirmed stolen, and you’ve got a breach that touches both your identity and your hardware. T-Mobile has said no financial data was taken and it’s offering free identity-protection services, which is the standard playbook at this point, but “no financial data” is cold comfort when someone has enough to open credit lines in your name or convince a support rep they’re you.
What’s striking is how this compares to T-Mobile’s last big breach in 2020 — this one is an order of magnitude larger in scope and depth of data. At 76.6 million affected, we’re talking about a number that rivals the entire active subscriber base of some of the biggest carriers in the country. Given T-Mobile’s history of breaches, there’s a real question of whether “we take security seriously” statements from carriers mean anything anymore, or whether they’re just the obligatory line every company reaches for after getting caught.
For now, if you’re a T-Mobile customer — current, former, or someone who once walked into a store and gave them your info for a quote — assume your data is out there. Freeze your credit if you haven’t, watch for SIM-swap attempts, and don’t expect this to be the last update. Given the trend of the past week, I wouldn’t bet against another expansion of the scope before this story is done.