Brian Krebs over at Krebs on Security has a post on the latest T-Mobile breach in which 10 million users in Australia had their account details stolen by cybercriminals. There aren’t many details about the exploit other than it “abused” an API to gain access to the records.
The majority of the post discusses the consequences of the breach for T-Mobile and most Irreal readers probably won’t find it all that interesting. For me, the most valuable part of the post was the last two paragraphs. The penultimate paragraph begins, “Regardless of which mobile provider you patronize, please consider removing your phone number from as many online accounts as you can.”
Krebs goes on to explain that even though many sites require a phone number to register an account, you can often delete that number on the account management page. That seems like a lot of trouble and you may wonder why it would be worth the trouble. The TL;DR is that having your phone number tied to an account gives criminals an easy way to compromise that account. See the last paragraph of Kreb’s post to see how this works.
Krebs, of course, is a serious security researcher and his recommendations should be taken seriously. Between this breach and the one in 2021, T-Mobile has leaked the details of 50 million accounts. Even if you’re not a T-Mobile customer, your carrier may be next so it makes sense to reduce the attack surface as much as possible.