IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

LAPSUS$ breached T-Mobile systems, stole source code

T-Mobile has denied that the hackers obtained customer or government information

The LAPSUS$ hacking collective managed to breach T-Mobile systems using employee credentials and downloaded more than 30,000 of the company’s source code repositories.

This is according to evidence obtained by investigative reporter Brian Krebs, who detailed the data breach on his KrebsOnSecurity blog.

LAPSUS$ members accessed T-Mobile's internal company tools on several occasions in March, using T-Mobile VPN credentials purchased through the dark web, including a stolen data trading platform known as the Russian Market.

Conversation screenshots obtained by Krebs show how easy it was for the hackers to find new login credentials in the case that a targeted employee had changed their password, using SIM-swapping to bypass two-factor authentication. LAPSUS$ member ‘Amtrak’ had detailed to a member known as ‘White’, who has been using the Lapsus Jobs account, how they had found a new T-Mobile employee account to target, allowing them to access the company’s Slack communications.

‘White’, also known as ‘WhiteDoxbin’ and ‘Oklaqq’, is an Oxford-based teenager who was one of the LAPSUS$ members arrested and charged in late March. He is believed to be one of the leaders of the hacking group, despite his young age – estimated to be 16 or 17 years old at the time of the attacks.

Screenshots obtained by Krebs seem to hint that the hackers’ legal guardians are aware of criminal activity, with ‘Amtrak’ telling ‘White’: “Parents knkw [sic] I simswap [sic]”.

Related Resource

Secure hybrid cloud for dummies

Accelerate transformation with hybrid cloud

Whitepaper cover with cartoon man's face wearing glasses in yellow circle with blue, black and yellow colour block backgroundFree Download

Apart from T-Mobile’s Slack channels and Bitbucket source code repository, LAPSUS$ also managed to gain access to the company’s customer account management platform Atlas.

Despite this, T-Mobile has stated that “the systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value”.

“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete,” the company told KrebsOnSecurity.

This is the third known data breach for T-Mobile in 15 months, following an incident affecting around 200,000 customers in January 2021 and 47.8 million customers in August 2021. The company also fell victim to three other breaches between 2018 and 2020.

Commenting on the news, Mike Newman, CEO of identity & access management (IAM) solution provider My1Login told IT Pro that “this latest breach on T-Mobile is yet another example of how attackers are relying on credential theft to carry out ransomware attacks”.

“Today all ransomware gangs, from BlackCat to LAPSUS$ to DarkSide have been relying on compromised user accounts to gain an initial foothold on an organisation’s network and then turn off security controls, steal data and deploy ransomware. This means to fight back against these attacks we need to focus on improving the security of user credentials and passwords, so they can’t be stolen or socially engineered out of victims in the first place,” he added.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022