{ "id": "a455dc87-9a8c-400a-8a12-528fbd307a4c", "created_at": "2026-04-06T00:17:33.625869Z", "updated_at": "2026-04-10T03:31:42.28526Z", "deleted_at": null, "sha1_hash": "570a4a9560d06e09f190855d7dfcb3b1fe77256b", "title": "Was T-Mobile compromised by a zero-day in Jira?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 762938, "plain_text": "Was T-Mobile compromised by a zero-day in Jira?\r\nBy Pieter Arntz\r\nPublished: 2024-06-21 · Archived: 2026-04-05 17:46:43 UTC\r\nA moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim\r\ncomes from a data breach at T-Mobile.\r\nThe moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images,\r\nTerraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find\r\na reference to them anywhere, so perhaps it’s a mistranslation or typo.)\r\nPost offereing data for sale supposedly from a T-Mobile internal breach\r\nTo prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges\r\nto a Confluence server and T-Mobile’s internal Slack channels for developers.\r\nBut according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older\r\nscreenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party\r\nvendor’s servers, from where they were stolen.\r\nWhen we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of\r\nthem.\r\nhttps://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira\r\nPage 1 of 3\n\nFound CVE-2024-1597\r\nThis screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams\r\nto plan, track, release and support software. It’s typically a place where you could find the source code of works in\r\nprogress.\r\nThe search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a\r\ncybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the\r\nform is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May\r\nsecurity bulletin.\r\nFor a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian,\r\nwhere Jira is the project management and issue tracking tool and Confluence is the collaboration and\r\ndocumentation tool. They are often used together.\r\nIf IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that\r\nthey have the source code of three internal tools used at Apple, including a single sign-on authentication system\r\nknown as AppleConnect.\r\nThis theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.\r\nIntelBroker selling zero-day for JIra\r\n“I’m selling a zero-day RCE for Atlassian’s Jira.\r\nWorks for the latest version of the desktop app, as well as Jira with confluence.\r\nNo login is required for this, and works with Okta SSO.”\r\nIf this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.\r\nMeanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a\r\nbreach at a third-party provider.\r\nhttps://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira\r\nPage 2 of 3\n\n“We have no indication that T-Mobile customer data or source code was included and can confirm that\r\nthe bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”\r\nWe don’t just report on threats—we help safeguard your entire digital identity\r\nCybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information\r\nby using identity protection.\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira\r\nhttps://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira" ], "report_names": [ "was-t-mobile-compromised-by-a-zero-day-in-jira" ], "threat_actors": [ { "id": "0263e1e1-4568-410a-a5e4-6932db1d40da", "created_at": "2024-06-26T02:00:04.854969Z", "updated_at": "2026-04-10T02:00:03.667295Z", "deleted_at": null, "main_name": "IntelBroker", "aliases": [], "source_name": "MISPGALAXY:IntelBroker", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434653, "ts_updated_at": 1775791902, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/570a4a9560d06e09f190855d7dfcb3b1fe77256b.pdf", "text": "https://archive.orkl.eu/570a4a9560d06e09f190855d7dfcb3b1fe77256b.txt", "img": "https://archive.orkl.eu/570a4a9560d06e09f190855d7dfcb3b1fe77256b.jpg" } }