A hacker who stole the data of 54 million T-Mobile customers has called the carrier’s security “awful”.
John Binns, a 21-year-old American who now lives in Turkey, claimed responsibility for the hack on Thursday to the Wall Street Journal.
Binns claims he was able to gain access to the data of customers through a publicly exposed router.
“I was panicking because I had access to something big,” he said. “Their security is awful.”
Binns probed T-Mobile’s infrastructure using public tools and upon discovering the router he used it to access a data centre outside East Wenatchee, Washington. Stored credentials then enabled Binns to access more than 100 servers.
It’s hard to disagree with Binns’ assessment that awful security protocols at every level allowed him to access the data with relative ease.
Security researchers from Unit221B contacted T-Mobile to inform the operator that someone using the alias ‘IRDev’ was attempting to sell customer data. Binns later proved he was able to access the accounts linked to IRDev.
When giving a reason for the hack, things get a little strange. Binns claims he wanted to “generate noise” to expose perceived persecution by US government authorities—including an alleged incident in which he claims he was abducted in Germany and put into a fake mental hospital.
Binns has been linked to other high-profile hacks through various online profiles. The hacker maintains the only reason for going public is to expose the unsubstantiated claims he makes about US authorities.
“I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he wrote in a Telegram message.
T-Mobile said that it’s confident that it has closed the weak points that Binns used in the hack and has offered two years of identity protection service to affected customers.
Find out more about Digital Transformation Week North America, taking place on November 9-10 2021, a virtual event and conference exploring advanced DTX strategies for a ‘digital everything’ world.