A hacker who claimed responsibility for the recent intrusion of T-Mobile's servers called the company's security protocols "awful," saying he gained accessed to the records of tens of millions of people through a publicly exposed router.
Earlier in August, T-Mobile reported a breach it said impacted some 47.8 million customers, with that number ballooning to well over the 50 million mark last week. Separate troves contained the names, birth dates, social security numbers, driver's license and ID information, and IMEI and IMSI data of current, former and prospective customers.
T-Mobile's latest reports indicate data on more than 54 million customers was stolen.
On Thursday, 21-year-old John Binns, an American who now lives in Turkey, told The Wall Street Journal that he was behind the hack.
In an exchange on Telegram, Binns offered evidence of his involvement in the plot and explained a relatively straightforward process that involved probing T-Mobile's online infrastructure with publicly available tools. After discovering an unprotected router in July, the hacker used the entry point to penetrate a data center outside East Wenatchee, Wash., where stored credentials enabled access to more than 100 servers, the report said.
"I was panicking because I had access to something big," he said. "Their security is awful."
Binns spent about a week parsing the servers before downloading the data cache on Aug. 4. Some nine days later, security research firm Unit221B told T-Mobile that someone using the IRDev alias was attempting to sell its customer data to online criminals. Binns provided the WSJ with evidence that he could access accounts linked to IRDev.
The hacker said one goal of the intrusion was to "generate noise," saying he wanted to expose an alleged incident in which he was abducted and placed in a fake mental hospital in Germany. He made similar claims to a U.S. relative last year, but the allegations have not been substantiated.
Online profiles connected to Binns have been tied to other high-profile hacks, the report said.
T-Mobile in a statement said it was "confident" that it closed access to the weak points used in the attack. The company is offering two years of identity protection service to customers affected by the breach.