Last yr, hackers discovered a bug that allowed them to entry some private data on any T-Mobile buyer. The bug was so well-known within the prison underground that somebody made a tutorial on the way to exploit it on YouTube.

The bug itself didn’t expose something too delicate. No passwords, social safety numbers, or bank card information was uncovered. But it did expose prospects’ e mail addresses, their billing account numbers, and the cellphone’s IMSI numbers, standardized distinctive quantity that identifies subscribers. Just by understanding (or guessing) buyer’s cellphone numbers, hackers may get their goal’s information.

Read extra: The Motherboard Guide to Not Getting Hacked

Once they’d that, they may impersonate them with T-Mobile’s buyer assist workers and steal their cellphone numbers. This is the way it works: a prison calls T-Mobile, pretends to be you, convinces the shopper rep to challenge a brand new SIM card in your quantity, the prison prompts it, they usually take management of your quantity.

Phone numbers are more and more the password restoration choice for forgotten passwords, so when attackers take management of a cellphone quantity they’ll then hack into the sufferer’s financial institution, social media, and e mail accounts.

None of those are theoretical eventualities. Ever since we revealed the bug and helped get it mounted, roughly two dozen victims reached out to share their tales. And simply final month, T-Mobile started the method of alerting all prospects that fraudsters try to hijack their SIM playing cards and cellphone numbers.

Have you been a sufferer of one of these hack? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or e mail lorenzo@motherboard.television

To present how damaging and hurtful these hacks could be, we’re sharing a few of the most harrowing tales that victims shared with us. The tales have been edited for size and readability and haven’t been independently verified by Motherboard.

Tina Herrera

This simply occurred to me over the weekend. I misplaced service late Saturday evening and assumed it was a difficulty with my at all times buggy iPhone. Then on Sunday morning my husband received a textual content from T-Mobile saying that a line on our cellphone plan had been cancelled (mine) and that i quickly found that $1200 had wired out of my checking account to somebody in [redacted] with my identical final title.

I’ve my cellphone quantity again and am getting reimbursed within the subsequent few days. But, T-Mobile was disturbingly informal about all of this, taking part in dumb about how the port out may have occurred though there’s clearly been proof of the hacks for the previous 6 months. We’re nonetheless ready for a customer support supervisor to get again to us and provides us any solutions.

Fanis Poulinakis

Today I lived a nightmare.

My cellphone all the sudden stopped working – I attempted to contact T-Mobile via twitter—no cellphone proper?—It took them an hour to let me know that somebody will need to have transferred my quantity to a different provider they usually requested me to name my financial institution to allow them to know.

I instantly log in on my checking account and voila! $,2000 had been gone.

I’ve spent the entire day between T-Mobile, Chase Bank and attempting to grasp what occurred. What a nightmare.

[…] It is unbelievable—and i feel it is also a negligence from T-Mobile’s aspect that they do not make it necessary to have a password linked to the cellphone quantity fairly than the social quantity. […] It’s the primary time I am realizing how susceptible our data is.

Anonymous Victim 1

I’m at present being affected by this. I’ve tried getting this resolved with T-Mobile, which has not been useful. Yesterday, I went to a T-Mobile retailer with ID to show my identification, however the hacker had already blocked the T-Mobile account. And, as a result of I’m not the account holder, simply a certified person, they won’t give me data.

[…] The thief has been capable of hack into my AOL e mail at the very least 3 occasions since Sunday, by having the 2fa calls answered on one other gadget. I only in the near past received a brand new iPhone X. The thief was additionally capable of efficiently request a alternative AmEx card be despatched to [redacted] by inserting outgoing calls to AmEx.

Thomas Ciccarelli

I used to be focused a number of occasions as we speak.

I used to be alerted this morning about somebody attempting to entry my sim. I informed the rep to lock my account and never permit something until I’m bodily current within the retailer. 4 hours later my cellphone is alerted with a “No community out there” message. I knew the hacker received via.

[…] they pretended to be a T-Mobile worker and received entry to my sim. They stated they did not have a report of who gave them entry however stated they solely had it for about 3-7 minutes. I began to getting alerts on all my e mail accounts that my passwords have been modified. It took about an hour to regain management of every part however I’m panicked. I’m uncertain what they had been capable of seize and I discover it utterly irresponsible of T-Mobile to permit such a delicate piece of knowledge to be given out even with a lock on my account. I’m uncertain who to speak to and at present simply sitting observing my e mail and financial institution accounts ready for catastrophe. This is a large challenge that must be checked out. Everything revolves round our telephones and this firm must be accountable with the ability they maintain over our lives.

Barry W.

I really received hit by that again in November on the Veteran’s Day vacation. Not solely did they port my quantity out however they hijacked one in all my credit score accounts and utilized for a bank card. They received a $20okay account accepted and proceeded to go on a Google Pay purchasing spree. Luckily all fees had been declined however this was all resulting from T-Mobile’s lack of safety on the account.

[…] I used to be fairly dissatisfied in T-Mobile’s lack of safety of their prospects. I needed to undergo 7 Tiers of their Help Desk earlier than somebody really received the ball rolling to recuperate my account. I’m fairly positive that the primary 6 Tiers had been abroad because of the truth it was obscure the tech.

Heather Thomas

Happened to me identical actual manner two weeks in the past. Except mine got here by way of a textual content message that regarded it got here from T-Mobile. It got here from 611. My husband had simply received a brand new cellphone the evening earlier than and the textual content stated to click on the hyperlink to substantiate the brand new plan. Of course I clicked the hyperlink and abruptly my cellphone stopped working! About twenty minutes later I received an e mail from Wells Fargo Zelle confirming my wire transfers of two two thousand greenback transfers!

I known as Wells Fargo first to try to cease nevertheless it was too late! It’s been two weeks and I’ve but to get my a refund!

Meghan Clifford

This occurred to me. I misplaced $5200 in whole, $1999 from one account, $2500 from one other and $600 in bank card factors redeemed for money. I nonetheless have not gotten my quantity again and have spent numerous hours closing and reopening all my financial institution accounts, filling a police report, coping with banks, bank card corporations and TMobile. I’ve needed to pay curiosity on my bank card as all my funds had been frozen from Jan 9 to Jan 25th and I am fairly positive I will get some test return charges as a result of I did not change my switch account for my auto debits in time.

The better part was TMobile despatched me a invoice and charged me for ending my service and porting out my quantity. Are you kidding me?!?!

Anonymous Victim 2

My T-mobile quantity was hijacked yesterday. As a outcome, $4,000 was stolen from my Chase account over two days. Both corporations responded shortly to assist me treatment the scenario.

Anonymous Victim 3

Obviously this didn’t sound correct, however earlier than I may do any analysis on my cellphone, I observed I had no service. My SIM card was now not licensed on the community. Since my cellular supplier (T-Mobile) was simply down the road, I headed to their workplace and confirmed them the message and that I hadn’t licensed a quantity switch (to not point out that I had by no means heard of Simple Mobile). Sure sufficient, her system confirmed that my account was cancelled as a result of somebody (clearly not me) had “ported” my cellphone quantity to a different service.

After about 45 minutes of navigating the customer support cellphone jungle, we lastly had been capable of get my quantity ported again to T-Mobile and put it again into my account. After resetting my cellphone, and reconnecting to the community, my cellphone blew up with a slew of notifications, most of them innocent, however a couple of had been from my financial institution. This is when the T-Mobile worker informed me that when my quantity was ported, my fee data most certainly went WITH it as a result of (a) I’ve auto-pay on my account and (b) Simple Mobile is the pre-paid low-cost plan below T-Mobile, so the businesses are tied collectively.

While my cellphone quantity was out of my possession the perpetrator had managed to request a password reset via my financial institution. All they wanted was my debit card quantity (which I assumed they now had) and my cellphone quantity for the 2-factor authentication. After they modified my password, they used the direct fee service via my financial institution to switch out $2000 to somebody that, oddly, had the identical final title as me (unsure if that is coincidence or a part of the rip-off in order that the financial institution gained’t query such a big switch). I instantly known as my financial institution and locked down every part together with my cellular banking entry. Now I had my cellphone quantity again, however my cash was locked down for the remainder of the weekend.

The time it took type having my quantity “stolen” to the cash being transferred, was solely 18 minutes.

If you suppose you possibly can develop into a sufferer of this rip-off—and even when you don’t—we advocate calling T-Mobile or no matter cellphone supplier you employ and ask them to arrange a “port validation” passcode. This can be known as a cellphone passcode or PIN, relying in your supplier (most US suppliers supply this characteristic now). This ought to be distinctive, completely different than your password in your cellphone supplier’s web site (resembling https://my.t-mobile.com/ or https://www.verizonwireless.com/my-verizon/, and it’s best to maintain it a protected place, resembling your password supervisor. You should present that passcode or PIN when you request a brand new SIM or change suppliers, stopping others from impersonating you.

Get six of our favourite Motherboard tales daily by signing up for our publication.

This article sources data from Motherboard