T-Mobile Data Breach: What Makes This One Different, and What You Can Do Now to Stay Secure 

Another day, another breach headline.  However, a recent breach involving T-Mobile servers begs a closer look – even for those of us desensitized to this kind of news.  Hackers claimed to have obtained data of 100 million T-Mobile customers from its servers, selling some of this data on the underground web for 6 bitcoin, or $280,000, according to WIRED.  Seems pretty par for the (cybersecurity) course, right?  Not quite. The breach not only contained names, phone numbers and physical addresses, but “social security numbers, driver's license information, and IMEI numbers, unique identifiers tied to each mobile device,” reported WIRED.  Personal data, like your phone number and address, is publicly searchable. And other data is most likely already on the dark web (your driver’s license information, for example). Those IMEI (International Mobile Equipment Identity) numbers, though, are not your typical hacker pull.  And when you put all these pieces together, this unique data mix is prime bounty for bad actors.  Smishing, or SMS-based phishing, uses those phone numbers and IMEI data to create believable-looking mobile messages that convince you to click. SIM-swap attacks, also using IMEI numbers, involve the hacker contacting your wireless carrier and rerouting your phone number to a new SIM card. If your phone number is linked to your bank, work or social media accounts, just to name a few, that information is now exposed.  In the face of these evolving attacks -- from smishing to SIM-swaps -- here are steps you can take right now to ensure you’re protected the next time a major breach occurs.  Use app-based authentication Multi-factor authentication (MFA) uses multiple data points to prove that users are who they say they are by supplying biometrics (like a fingerprint) or a code sent to an authentication app on your smartphone in order to log in. If the hackers don’t have the required authentication information, they can't get a foothold into an account.  LastPass’ enhanced Authenticator app provides consumers and businesses an extra layer of security you need in this volatile mobile cybersecurity landscape, including:

• Biometric-protected push notifications for both password manager and single sign-on applications connected through LastPass
• Third-party one-time passcodes to access sites that require secondary authentication 
• Account back-up and recovery for third-party passcodes to streamline Authenticator set-up on a new device or restore if data is lost

Practice good password hygiene Keeping up with your password hygiene can seem overwhelming, resulting in what has been dubbed “password anxiety.” What are three simple steps to keep yourself in prime password shape? 

• Never reuse your passwords: This includes never reusing your master password. Using the same password for multiple accounts means that if a hacker ever got hold of just one password, that one password would open several doors to your personal data. Use a unique password for every online presence you have.  
• Use strong, complex passwords: An easy to remember (weak) password translates into an easy to crack password for hackers online. Always create strong, complex passwords for each of your accounts. 
• Update your passwords: Keep hackers out of your personal data by regularly updating your credentials. Hackers may want to continuously access your account after a breach -- resetting your password can shut the door on compromised data in the future.  

Turn on Dark Web Monitoring alerts The dark web is the so-called “black market” of the internet, where sensitive data is bought and sold. A driver’s license can market over $500, while a stolen passport can net a hacker a profit of $1500.  LastPass’ Dark Web Monitoring monitors your email addresses continuously within a database of breached credentials and alerts you immediately – via email notification and within the Security Dashboard – if any of your information has been found amongst breached credentials.   To begin using Dark Web Monitoring, you’ll need to enable monitoring from the Security Dashboard of your LastPass Vault. Turning on this feature will begin checking all the email addresses stored in your Vault against data breaches.  These types of headlines will, unfortunately, continue to appear more frequently as hackers adapt and become craftier in their breach methods. Protect and secure your identity in the face of increasingly more complex attacks with LastPass.