Hacked on my other services by someone who hacked by T-mobile account and then used DIGITS to get my texts for authorization( Stop this)

thehbk@gmail.com

    as above

     

    Digits was introduced without my knowledge, and basically used by someone to hack my t-mobile account and then use this account to hack into all my other services, as Digits lets you recieve your text messages which are literally one of the biggest security hack right now.

     

    please remove this from my device and give customers to have the option to NEVER have Digits.. ( i can see it can be useful unless this s

      All replies

      • debjitjdv

        Hi thehbk,

         

        Sorry to hear this. Would you mind explaining this a more? Yes DIGITS is a full pledged talk and text service and that's how it is meant to be. A complete second line without the need for a SIM card. There are several things that I do not understand:

         

        1. Unless someone knows your T-Mo credentials, how can they get access to your account and assign DIGITS to themselves?

        2. The moment someone assigns themselves to your number via DIGITS portal, T-Mo sends you a text and an email to your T-Mo ID to let you know that an assignment has been made and if it is not legitimate, then warns you to remove them immediately.

        3. No shortcode texts are allowed in DIGITS number (both in Virtual i.e. DIGITS T&T and Duplicate number i.e. DATA with PAIRED DIGITS). Usually, to authorize yourself for different services like banking etc, you will receive the one time code as a shortcode text which will only arrive in your sim number.

         

        There are few steps you can take to ensure your account's safety. T-Mo has enabled 2-Step Authentication to login to your account for long now. You need to enable now so that even if someone gets their hand on your T-Mo credentials, without the 2FA code, they won't be able to login to your account. You should keep an eye on the texts/emails sent by T-Mo for possible frauds and compromise. Enabling 2FA in your other services like banking etc is a good idea and is a standard practice nowadays,

         

        Nevertheless, your input is very valuable. If you have a few mins to explain the scenario and your possible take on how the "hacking" might have happened, our wonderful admins can pass those as potential guidelines to the security team to put necessary safeguards in place to avoid these sort of scenarios.

         

        Again I am sorry to hear this. Looking forward to hearing from you soon and please tag me as debjitjdv

        • magenta1254

          Exact same thing happened to me yesterday. My t-mobile app sho Digits was activated May 9, but I did not receive email or text Then or when Digits debuted. My phone log shows a call as being answered by another device shortly before a google authentication code arrived followed by gmail change in password, change in recovery phone. I use my phone a lot because iPhone viruses/ attacks are rare. But Apple cant protect me from my phone company’s New features. I love t-mobile, but I want to know when they decide to do things that increase my risk, so I can opt in, rther than having to opt out after I’ve been hacked.

            • debjitjdv

              magenta1254

               

              I am sorry you had this experience. But being with DIGITS since day 0 of its BETA, I can assure you unless you have shared your credentials with anyone and if you have 2-factor authentication enabled, its impossible to get your number assigned to anyone. T-Mobile does not have numbers anymore, all numbers are DIGITS. But it needs to be explicitly associated with a T-Mo ID other than yours for someone else to access it. Your incident indicates that your credential is compromised which I believe has nothing to do with DIGITS. There are several security features that T-MO has introduced and I encourage you to avail off those.

               

              1. Security questions for your account login

              2. 2 FA

              3. Strong password

              4. Account PIN (to avoid unwanted port out)

               

              Please do not share your credentials with anyone if you are the primary account holder. And you can always see which devices are accessing your numbers in the portal at https://mydigits.t-mobile.com/consumer/#/login

            • magenta1254

              Nice try, debjitjdv

               

              Ive been hacked, thanks to Tmobile and digits and I have the breadcr to prove it. Let me rephrase, my digits (aka phone number And access to my phone calls and text messages) service was set up by someone else because I am one of millions of people who had their data compromised via massive security breaches. Im On auto pay and I don’t use T-Mobile’s website—- or at least I didn’t until I was forced to take security steps for myself after being hacked via someone else setting up digits on my number.

               

              digits may be fine if you started with It intentionally and secured your account. I didnt know about digits, didn’t request digits, didn’t set up security to protect myself against digits. This is the problem.

               

              The interesting thing Hong here is that none of my accounts are safe anymore with 2 FA because the hackers were able to set up thru Tmobile access to read my text messages (that’s most common Second factor). So now the hackers have a back foot.

               

              Tmobile‘s digits problem allowing customers to be hacked is pretty widely reported, even in mainstream media.

                • debjitjdv

                  magenta1254

                   

                  I am not trying to prove anything here my friend. I am just a general user and I am myself also a victim of the security breach that caused hundreds of thousands of credentials to go compromised. The fact is your DIGITS service was setup by T-Mo when they transitioned and by no one else. What bothers me from your post is that 2FA is compromised. The reason I am saying because DIGITS is setup in a way where the 2 FA code only arrives in your primary SIM card device. Neither DIGITS T&T number nor DATA with PAIRED DIGITS SIMS is allowed to receive 2FA codes. It was blocked early last year even before DIGITS was launched formally.

                   

                  If according to you hackers are able to read your 2FA text messages, I believe that has nothing to do with DIGITS possibly.  Your main account credential that they are using and it might be the problem with the main backend. Can you change the credentials, setup the 2FA in the T-Mo account itself?  I am really sorry that you are facing this but I am sure T-Mo is doing the best they can to prevent this.

                   

                  And also just FYI. 2FA authentication which is delivered via SMS has a very weak security. It does not matter which carrier you are using because usual text messages are not encrypted like WhatsApp or Telegram or Signal or GChat or iMessage. A remote code execution using a downloaded malware can cause reading all of your message and call logs without your knowledge. Again, I am not saying on behalf of T-Mo because I am not a T-Mo employee rather I am just re-iterating the limitation of the technology. And that's the very reason, there are in-app authentication or authenticator apps (like Google Autheticator, Microsoft Authenticator, DUO Mobile) available in Play Store or in iOS App Store.

                • magenta6020674

                  I received a letter from T-Mobile security that confirms this has occurred exactly as described above.

                  • magenta6330040

                    This just happened to me as well! I had no clue what DIGITS even was till yesterday, but I noticed I had a text saying that a device that wasn't mine logged into DIGITS using my number... then they also had my gmail authorization code texted to me and were able to get into that and get into my email from there and then they changed my password, recovery email, recovery phone number, security question, and set up 2 factor authorization on their own phone. Since I'm not glued to my phone 24/7, I wasn't able to stop this till about 2 hours after I saw the text from T-mobile, but by that time it was too late and they took my email from me (I'm still trying to fight to get it back, but with all of my security features changed, it's much more complicated). They even managed to shut my phone line down a couple hours later while I was in the process of trying to contact T-mobile about it (which luckily my husband's phone still worked for me to contact them and get it back). I have no idea how someone was able to get my info to log into this DIGITS app with my number, since I don't share that with anyone. I'm super paranoid now that this could happen again now that my account has already been compromised. I've loved T-mobile up to this point, but this is a HUGE security issue!