Follina a silent Client-Side

Mariano Quintana


Twitter Facebook linkedin

The Shock wave of Data Breaches(The T-Mobile case)

The term shock wave refers to the intense hyper pressurization impulse created by detonating a high explosive. This impulse generates lesions that are characterized by anatomical and physiological changes produced by the direct or reflective hyper pressurization force that impacts on the surface of the bodies. As the term says, the explosion of a high-power device is needed and said explosion alters the objects that are directly in the radius of action of that wave.

Now, what does this have to do with computer security and data leaks? That is where the most important question of this article arises: Is information our high-powered device, which can explode at any moment? If the information is this explosive, can its detonation (Referring to the data leak) affect nearby targets? Could it even have a longer range? Throughout this post we will analyze the case of the T-mobile company and how its recent leaks are having consequences in various areas.

T-mobile is a wireless telecommunications company, providing cellular network services particularly in the United States and around the world. T-Mobile's history dates back to 1994, when it was founded in Bellevue, Washington, United States, as VoiceStream Wireless PCS, a wireless telecommunications company. The company initially operated in the Pacific Northwest of the United States, but quickly expanded to other regions of the country. In 2001 the German company called Deutsche Telekom acquired VoiceStream Wireless PCS and later renamed it T-Mobile USA in 2002. With this acquisition, T-Mobile became the first wireless telecommunications company owned by a European company operating in the United States (That is why there is often confusion regarding the nationality of this company).

Well, if we're talking about shockwaves, when we discuss an affected telecommunications company, we're talking about a perfect storm, with all the necessary ingredients to generate that proper hyper pressurization (If you skipped the intro and got this far, I explain it in the intro) since T-Mobile has recently suffered several data breaches. About 6 days ago, there was a second data breach in 2023, setting off alarms for all users of this company. These recent data breaches occurred after the first one, which took place in late February, revealing data of 37 million people. Although the recent incident affected only 836 customers of the company, the amount of information exposed is truly extensive, exposing affected individuals to identity theft and phishing attacks that remain common worldwide.

On many occasions, current data breaches may or may not be a consequence of security issues that occurred in the more or less distant past (Take note of this for later) if we were to create a timeline to try to find the root of the problem when a data breach occurs, we could travel back in time to gather information about previous attacks on a particular company, in our case, T-Mobile:

  • December 2020
  • T-Mobile reports that 200,000 people were affected by a data breach.
  • August 2021
  • T-Mobile reported that an attacker stole the personal data of 50 million customers.
  • April 2022
  • The company confirmed that the Lapsus$ extortion group accessed their networks using stolen credentials, affecting 30 million users.
  • January 2023
  • Data of 37 million people is revealed.

Although, as we mentioned in the previous paragraph, these issues may or may not be related, the reality is that the recent data breach was associated with an application used to manage customer accounts. Attackers found a way to exploit this vulnerability to gain access to customer names, phone numbers, birth dates, among other things. As a consequence of the loss of confidentiality in the past, the same company provided customers with anti-malware and anti-spam solutions to compensate for the shortcomings in previous processes.

On this occasion, the actions taken by T-Mobile was to reset the PINs of the accounts of the affected users and also offer them two years of free credit and identity theft protection services.

What do we need to understand to know if a security breach is important or not for my company?

These types of breaches often have a high number of negative consequences for the affected customers and in the future allow attackers to execute identity theft attacks using the leaked personal data. But this happens and mainly seems to affect the personal level of the affected individual in question. Now think about what would happen if the affected individuals have some kind of interaction with our company, let's call interaction to any existing connection, be it through the use of technology or some affected service provided related to these issues.

How does this affect us currently?

It doesn't necessarily have to be a direct interaction for it to harm our services; it would be enough for an external provider (who has our data) to have T-Mobile as their phone provider for that shockwave to fully impact our confidentiality with that provider.

Example: An Argentine company has Microsoft as a provider, whose employees use T-Mobile. Those employees exchange our information using the affected telecommunications company's service. (In this case, we see that it doesn't affect us directly, but indirectly we could experience an impact or lateral leakage).

So, how do we stay on top of everything?

It is a reality that the incident response teams (CSIRT) of companies must be aware of all the attacks that occur towards their own company. This task is already a titanic one since it not only implies that they must be one hundred percent attentive to the alarms that passive defense systems provide but also must be alert to news, user behavior, reduce impact, restore business continuity, prevent future incidents, and also depend on the proper functioning of other teams, plus a long list of other tasks. Now, imagine adding to that enormous list of tasks that they should also be aware of leaks from other companies.

It would be something utterly impossible to understand and apply, especially for the average user, how a leak from another company could affect me. It's not only unmanageable but also a task that would seemingly lead to an overwhelming workload for incident response teams. To understand how this works, imagine that a data leak is a bomb being dropped in a particular place.

This particular place is the most affected of all, but there are nearby locations that may receive a lesser or greater impact, depending on the leaked data.

This shockwave, in a more literal case, tends to decrease in power as it moves away from the main target. However, when discussing a data bomb, the damage that occurs may or may not depend on proximity to the incident's epicenter. This is because data transcends borders, and as we explained earlier in the example, it doesn't depend on direct proximity. Serious data can impact and attack previously built trust relationships with the goal of acquiring a service.

Should all Data breaches concern us?

There are several potentially risky situations that could harm us. For example, if the affected company is a telecommunications company, as in this case, all companies that share the database with it or all companies related to this telecommunications company could have a much greater impact than the rest of the companies.
Since customers of a telecommunications company today have more than one resource associated with this issue, a recipe for staying on top of everything would be to filter security news in such a way that it is associated with the interests of our company. For example, if we are a banking entity, we know that there is a connection between all other banking entities, so an impact can be a sufficient alarm to pay attention to a breach in this field.

But this is the simplest case; truly understanding all the interactions our company has with the environment is a task that involves an increase in awareness of the resources and data we handle. That's why having areas that specifically focus on research helps a lot in these matters to provide feedback on the analysis that a CSIRT can perform based on its current scope. Another important point to consider is that we must protect users' identities according to all the leaks that occur; having engines that defend us from password spray attacks is very useful when detecting if users' accounts in the business environment are being used in other systems and also if those accounts use passwords recently leaked in the corresponding major Data breaches.

What questions should I ask myself?

So, when faced with leaks, it may be more important to ask ourselves a series of questions to evaluate the impact on our company and see if it is necessary to pay attention to it or not. Within the data, we must always consider the following points, to be aware of our information before questioning the interaction with the Data Breach;

Previous questions:

  • What is the most critical data for the company?
  • What are our crown jewels?
  • Which providers interact with these resources?
  • Where do these providers provide service?
  • Do we have the proper confidentiality agreement signed?
  • In the event of such a significant incident, to what extent can I transfer responsibility to the affected provider?

Data Breach discovery:

  • Is it located in the same area as our most critical providers?
  • Do any of our providers use the affected company's services?
  • Are any of our providers the affected company?
  • If it's a provider, do we have an up-to-date confidentiality agreement?
  • Are any of our former providers the affected company?
  • Was any technology affected?
  • Is the affected technology used by our company?
About the leaked data:

  • What types of data were leaked?
  • Are they data of our company's members?
  • Have passwords been leaked?
  • Do the members of our company use similar passwords to the leaked ones?

These types of questions, among other inquiries we could make, will be of great help when analyzing whether or not I need to pay attention to these leaks.


Among other things, we must learn to fine-tune our detection tools. Often or always, it's not enough to just look out for ourselves and ensure that our company is not attacked. Therefore, it is advisable to stay current with developments in the computer world to properly anticipate attackers. If we have no connection with the victim or the affected company, this particular situation with T-Mobile serves to focus on continuous learning so that we don't experience what is happening to others in the present time.