CNET también está disponible en español.

Ir a español

Don't show this again

Security

T-Mobile hack may have exposed data of 2 million customers

T-Mobile says that passwords may have also been accessed, though only in encrypted form.

Portable device photo illustrations

T-Mobile fought off hackers on Monday, but customer data may have been exposed.

NurPhoto/Getty

T-Mobile has revealed that hackers may have stolen the personal information of some of its customers.

The intrusion took place on Monday, and some customer data "may have been exposed" before the carrier's cybersecurity team shut off access and reported the breach to law enforcement, it said in a statement.

Around 3 percent of T-Mobile's 77 million customers -- more than 2 million people -- may have been affected, a company representative told Motherboard. Those people are being notified via text message.  

The data breach included customer names, billing zip codes, phone numbers, email addresses, account numbers and account types (prepaid or postpaid). Credit card numbers, social security numbers and passwords weren't accessed, the company initially said. 

However, a T-Mobile representative later clarified to CNET and Motherboard that "encrypted passwords" had been exposed. 

The company says that hackers couldn't actually read them -- since they were encrypted -- but Motherboard says that a pair of security researchers believe T-Mobile used the MD5 algorithm to protect them, a protection scheme whose own author declared it "no longer considered safe" back in 2012. 

T-Mobile wouldn't confirm whether it used MD5.

The company also suggested the hackers were "international," according to our sister site ZDNet.

The company has recently been working to rebuild its approach to customer service, with a nationwide launch of care centers aiming to offer more dedicated service, and has committed to building a nationwide 5G network by 2020. 

Update, 4:47p.m. PT: T-Mobile  clarified that hackers might have seen encrypted passwords, but not ones they could necessarily access or use.

Now playing: Watch this: Plenty of Android phones came with vulnerabilities pre-installed
1:01