{ "id": "6444a59a-43c9-4498-b429-6362eff24cde", "created_at": "2026-04-06T00:15:54.174943Z", "updated_at": "2026-04-10T13:11:17.996179Z", "deleted_at": null, "sha1_hash": "c9140e563a1987a16d1a3931b0fb54e49886db49", "title": "T-Mobile confirms it was hacked in recent wave of telecom breaches", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2255870, "plain_text": "T-Mobile confirms it was hacked in recent wave of telecom breaches\r\nBy Lawrence Abrams\r\nPublished: 2024-11-16 · Archived: 2026-04-05 18:26:09 UTC\r\nT-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to\r\ngain access to private communications, call records, and law enforcement information requests.\r\n\"T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been\r\nimpacted in any significant way, and we have no evidence of impacts to customer information,\" T-Mobile told the Wall\r\nStreet Journal, which first reported about the breach.\r\n\"We will continue to monitor this closely, working with industry peers and the relevant authorities.\"\r\nhttps://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nT-Mobile shared a similar statement with BleepingComputer, stating it has found no evidence of any customer data being\r\naccessed or exfiltrated.\r\n\"Due to our security controls, network structure and diligent monitoring and response we have seen no significant impacts to\r\nT-Mobile systems or data,\" T-Mobile told BleepingComputer after the publishing of this story.\r\n\"We have no evidence of access or exfiltration of any customer or other sensitive information as other companies may have\r\nexperienced.\"\r\nLast month, The Wall Street Journal reported that Chinese state-sponsored threat actors known as Salt Typhoon\r\nhad breached multiple U.S. telecommunication companies, including AT\u0026T, Verizon, and Lumen.\r\nSalt Typhoon (aka Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286) is a sophisticated Chinese state-sponsored\r\nhacking group active since at least 2019 and typically focuses on breaching government entities and telecommunications\r\ncompanies in Southeast Asia.\r\nWSJ reports that the hacking campaign allowed the threat actors to target the cellphone lines of senior U.S. national security\r\nand policy officials across the U.S. government to steal call logs, text messages, and some audio.\r\nIn a joint statement from the FBI and CISA earlier this week, the U.S. government confirmed that the threat actors stole call\r\ndata, communications from targeted people, and information about law enforcement requests submitted to\r\ntelecommunication companies.\r\n\"Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications\r\ncompanies to enable the theft of customer call records data, the compromise of private communications of a limited number\r\nof individuals who are primarily involved in government or political activity, and the copying of certain information that\r\nwas subject to U.S. law enforcement requests pursuant to court orders,,\" reads the joint statement.\r\n\"We expect our understanding of these compromises to grow as the investigation continues.\"\r\nThese attacks were reportedly conducted through vulnerabilities in Cisco routers responsible for routing internet traffic.\r\nHowever, Cisco previously stated there were no indications that their equipment was breached during these attacks.\r\nThis breach is the ninth T-Mobile suffered since 2019, with the other incidents being:\r\nIn 2019, T-Mobile exposed the account information of an undisclosed number of prepaid customers.\r\nIn March 2020, T-Mobile employees were affected by a data breach exposing their personal and financial\r\ninformation.\r\nIn December 2020, threat actors accessed customer proprietary network information (phone numbers, call records).\r\nIn February 2021, an internal T-Mobile application was accessed by unknown attackers without authorization.\r\nIn August 2021, hackers brute-forced their way through the carrier's network following a breach of a T-Mobile testing\r\nenvironment.\r\nIn April 2022, the Lapsus$ extortion gang breached T-Mobile's network using stolen credentials.\r\nIn January 2023, T-Mobile confirmed attackers stole the personal information of 37 million customers by abusing a\r\nvulnerable Application Programming Interface (API) in November 2022.\r\nIn May 2023, T-Mobile disclosed a breach impacting only 836 customers, but that exposed sensitive information.\r\nUpdate 11/16/24: Added statement from T-Mobile.\r\nhttps://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/\r\nhttps://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/" ], "report_names": [ "t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434554, "ts_updated_at": 1775826677, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c9140e563a1987a16d1a3931b0fb54e49886db49.pdf", "text": "https://archive.orkl.eu/c9140e563a1987a16d1a3931b0fb54e49886db49.txt", "img": "https://archive.orkl.eu/c9140e563a1987a16d1a3931b0fb54e49886db49.jpg" } }