A 21-year-old American living in Turkey has come forward as the purported hacker who stole data related to millions of T-Mobile customers after breaking into a datacenter used by the wireless phone company.
John Binns told the Wall Street Journal he used a publicly-available tool to scan known Internet protocol (IP) addresses that are widely known to be used by T-Mobile, with the scan intended to discover security weaknesses connected to those IP addresses.
He apparently found one at a datacenter in Washington state where he claims an Internet router used by T-Mobile was not properly secured.
Binns told the newspaper his goal was to gain notoriety by “generating noise” about T-Mobile’s lackluster cybersecurity practices. The breach, which was disclosed earlier this month, is one of several involving the theft and leak of T-Mobile’s customer data over the last few years.
In this latest attack, information collected from current and prospective T-Mobile customers for the purpose of carrying out credit checks was accessed, stolen and then put up for sale on the so-called “Dark Web.”
The company acknowledged the breach only after a journalist working for Vice’s tech publication Motherboard discovered the data for sale on an Internet forum popular with hackers.
When he first breached T-Mobile’s servers, Binns said his first inclination was to panic “because I had access to something big.”
“Their security is awful,” he told the Journal, adding that it took him around a week to discover and collect the records on millions of T-Mobile’s customers.
The Journal said Binns wouldn’t admit to being the hacker who listed the data for sale online, but Motherboard’s earlier report said the hacker who was trying to sell the stolen data “said they compromised multiple servers related to T-Mobile.”
The hacker who spoke with Motherboard — who may or may not be Binns — said their access was severed when T-Mobile discovered the breach.
Cyber agents with the Federal Bureau of Investigation’s Seattle field office are investigating the breach. T-Mobile U.S., which is partially owned by Germany’s Deutsche Telekom, is headquartered in Bellevue, which lies within the jurisdiction of the FBI’s Seattle field office.
Court records reviewed by The Desk showed FBI agents in Seattle and San Francisco recently obtained search warrants for online accounts connected to Binns and others. The search warrants cite a violation of the Computer Fraud and Abuse Act, the controversial federal statute used in major and minor computer intrusion cases. The contents of the search warrants remain sealed.
If federal prosecutors decide to bring charges against Binns, he could be arrested and sent to the United States to face trial under an extradition treaty entered with Turkey in 1981.
On Friday, T-Mobile’s Chief Executive Officer Mike Sievert apologized for the breach, saying the company “didn’t live up to the expectations we have for ourselves to protect our customers.”
“Knowing that we failed to prevent this exposure is one of the hardest parts of this event,” he said.
T-Mobile says it has notified customers who were affected by the breach with an offer to redeem two years of free credit monitoring. The company has also retained the services of cybersecurity firms Mandiant and KPMG to “adopt best-in-class practices and transform our approach.”
“This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers,” Sievert said.