The 21-year-old American hacker who is taking responsibility for infiltrating T-Mobile’s systems said the wireless company’s weak security helped him access a trove of records with personal details on more than 50 million people, The Wall Street Journal (WSJ) reported Thursday.
John Binns, who grew up in Virginia in the United States but now lives in Turkey, told the WSJ that he managed to break through T-Mobile’s defences after discovering an unprotected router exposed. Binns has used several online aliases since 2017, and said he had been scanning T-Mobile’s internet addresses for vulnerabilities using a simple tool available to the general public.
“Their security is awful,” said Binns, who has been communicating with the WSJ via Telegram messages from an account that discussed details of the hack before they were widely known.
“I was panicking because I had access to something big,” he added.
Binns has not said whether he has sold any of the data or whether he was paid for the hack, the WSJ reported.
The August hack is the third major customer data leak that T-Mobile has made public in the past two years. According to the company, the latest attack stole an array of personal details from more than 54 million customers including their names, Social Security numbers and birth dates.
Many of the records reported stolen were from prospective clients or former customers that have switched to other carriers.
T-Mobile, which began informing customers of the breach last week, also reminded its users to update passwords and personal identification number (PIN) codes.
The Washington-based company is the second-largest US mobile carrier, with some 90 million mobile phones connecting to its networks.
The Seattle office of the Federal Bureau of Investigation (FBI) is looking into the T-Mobile hack, a person familiar with the matter told the WSJ.
Binns also told the WSJ that it took him about a week to get into the servers.
T-Mobile, which confirmed that more than 50 million customer records have been stolen, has also said that it had repaired the security hole that enabled the breach. It began informing customers of the breach last week.
It remains unclear whether Binns worked alone. In his communications with the WSJ, he described a collaborative effort to crack T-Mobile’s internal databases.
Binns also told the WSJ that he wanted to draw attention to his perceived persecution by the US government.
“Generating noise was one goal,” said Binns.
In his conversations with the WSJ, Binns described an alleged incident in which he says he was kidnapped in Germany and put into a fake mental hospital.
“I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he wrote to the WSJ.
Last year, Binns sued the Central Intelligence Agency, FBI and other federal agencies to push them to fulfil a federal records request he had made for information about FBI investigations of botnet attacks.
The complaint is still active in the US District Court for the District of Columbia.