T-Mobile Customer Database Allegedly Hacked

Cell-phone carrier T-Mobile USA may have been seriously hacked, with millions of customers' personal details now up for sale in the hacker underground.

"We have everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009," a group calling itself "pwnmobile" wrote in an e-mail Saturday to various tech and security Web sites.

"We already contacted with their competitors and they didn't show interest in buying their data — probably because the mails got to the wrong people — so now we are offering them for the highest bidder," the e-mail continues.

The message then displays a long list of various servers, including names, operating systems and IP addresses, but doesn't include any pilfered data.

T-Mobile wouldn't confirm or deny that a breach had taken place.

"The protection of our customers' information, and the safety and security of our systems, is absolutely paramount at T-Mobile," a company spokesman told the British tech blog The Register and Washington Post reporter Brian Krebs' Security Fix blog. "Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible."

Krebs pointed out that a list of servers does not make a hack, and advised readers to take the allegation "with a grain of salt until more evidence of a compromise surfaces."

In 2003, a hacker used a known but unpatched hole in T-Mobile's Web site software to gain nearly full access to the company's entire customer database.

In 2005, a different group obtained the voicemail password to celebrity Paris Hilton's T-Mobile Sidekick cell phone, which resulted in embarrassing photos being distributed on the Internet.

• Click here to read more about this in The Register.

• Click here for Brian Krebs' Security Fix report.

• Click here to view the e-mail.