In the evening of January 10 I was alerted after receiving two consecutive text messages from T-Mobile saying that "The SIM card for XXX-XXX-XXXX has been changed. Visit t-mo.co/acct-history to view account history. If this change is not authorized go to t-mo.co/help or call 611". A click to t-mo.co/acct-history started Safari to a page that could not open. A visit to the help page was completely non informative about the specific message as well.
I then called 611 and the first representative I spoke to spent all her time to give me an empty talk of how much T-Mobile cares about my security. Even worse she kept re-insuring me that after checking (who knows what), the account was safe to use. She could not answer my question of how it was possible that the SIM card was changed with me not doing anything to the phone or having it initiated myself from a store or online. I didn't let it go and I have asked to escalate the issue, and my call was transferred to a support manager.
In the meanwhile I noticed that I started to receive notices from other services notifying me of attempts to use my accounts from new devices, changes to the PIN and so forth. One of them succeeded in using an email address they knew, and a simple 1-step verification using the confirmation code in an text message that the hijacker received and not me.
One of the suspicious notifications I received was from T-Mobile itself, saying that "Equipment has been moidfied for device # XXXXXXXXXX. The imsi has been changed from # X---------41211 to # X----------21142.". (spelling error in the original). I have asked the second T-Mobile representative about how it was possible that the IMSI was changed without any action on my side. In addition to the same useless talk of how much T-Mobile cares about my security, I got the impression that he didn't even know what an IMSI was. As a consolation and to move on, he insured that an investigation would have started.
After hanging up, I spent a few hours patching things around and as a safety measure, I had to cancel six credit cards, change passwords and so on. In the attempt to avoid detection, and after trying to get into important accounts of mine, the hijacker had restored the original IMSI and I was able to use the phone. Hence the second consecutive, identical text message.
In the middle of the night, I called again 611 to ask if they had found something in the meanwhile. This time I had a better idea of the breach and I tried to explain that in my opinion it was a serious breach and that I had clear evidence that T-Mobile had leaked my data, including my email addresses and the IMSI, a number that I assume, T-Mobile would not even have given to me even if I begged.
Needless to say they had nothing useful to report, not even a trivial explanation of what happened and of course I got the usual mantra, and no admission of any wrongdoing or data breach. It was not the representative's fault as this whole discussion was obviously above her pay grade (and of her supervisor as well).
One day has passed and I have no updates. What has happened is obvious to me as this is either a tail of the data breach T-Mobile had in 2018 and for which I was not alerted, or is a whole new data breach.
I have been a T-Mobile customer since they have arrived in California through an acquisition in year 2001. At some point I had 20+ T-Mobile SIMs for my company. It is great that T-Mobile cares about my security, but they don't seem to be able to protect their network or to write an API that doesn't leak their customers private and very crucial information like the IMSI numbers. Unless I hear some very detailed and a convincing technical explanation of the incident, my days with T-Mobile are numbered.
I invite everyone to be super alerted.