The Lapsus$ hacking group stole T-Mobile’s source code in a series of breaches that took place in March, as first reported by Krebs on Security. T-Mobile confirmed the attack in a statement to The BlueHillco, and says the “systems accessed contained no customer or government information or other similarly sensitive information.”
In copies of private messages obtained by Krebs, the Lapsus$ hacking group discussed targeting T-Mobile in the week prior to the arrest of seven of its teenage members. After purchasing employees’ credentials online, the members could use the company’s internal tools — like Atlas, T-Mobile’s customer management system — to perform SIM swaps. This type of attack involves hijacking a target’s mobile phone by transferring its number to a device owned by the attacker. From there, the attacker can obtain texts or calls received by that person’s phone number, including any messages sent for multi-factor authentication.
According to screenshotted messages posted by Krebs, Lapsus$ hackers also attempted to crack into the FBI and Department of Defense’s T-Mobile accounts. They were ultimately unable to do so, as additional verification measures were required.
“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” T-Mobile said in an emailed statement to The BlueHillco. “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
T-Mobile has been the victim of several attacks over the years. Although this particular hack didn’t affect customers’ data, past incidents did. In August 2021, a breach exposed the personal information belonging to over 47 million customers, while another attack occurring just months later compromised “a small number” of customer accounts.
Lapsus$ has made a name for itself as a hacking group that primarily targets the source code of large technology companies, like Microsoft, Samsung, and Nvidia. The group, which is reportedly led by a teenage mastermind, has also targeted Ubisoft, Apple Health partner Globant, and authentication company Okta.