UScellular confirms customer data posted on dark web is from recent breach


UScellular has confirmed to Cybernews, the customer data a hacker posted on the dark web earlier this week is from an actual breach that apparently took place in January.

In a Cybernews exclusive, we have an update on the hacked UScellular customer database our research team found up for grabs on the dark web earlier this week.

ADVERTISEMENT

UScellular spokesperson Katie Frey has confirmed the stolen customer data, which was posted by a reputable hacker on Breached one of the world's top five leak sites is from a recent breach of one of their third-party vendors.

The hacker, known on the site as IntelBroker, posted the data as a free download link claiming the breach was from January 2023 involving 144K customers.

UScellular Jan 2023
IntelBroker, BreachedForums

UScellular states the number customers whose data was stolen in the breach is only 52K, according to an email response, sent by Frey to Cybernews late Friday.

“We have been made aware of a recent security incident at a former third-party vendor resulting in unauthorized access to now out-of-date UScellular customer data. This data included names, email addresses and other account information for about 52,000 accounts,” the email states.

According to Frey, the third-party vendor is no longer affiliated with the mobile carrier.

“Our relationship with this third-party vendor was for a limited time. We continue to review this incident and determine our next steps,” Frey wrote.

Cybernews reached out to UScellular about the leak after our research team discovered a sample of the customer data posted Wednesday morning on BreachedForums under the heading, "U.S. Cellular Database, Leaked - Download."

ADVERTISEMENT

The UScellular website was down at the time of discovery, but was back up soon after. Our team said it was not clear how long the website had been down.

Frey also noted that “the data did not include Social Security Numbers, credit card numbers, or other sensitive data.”

Uscellular Jan 2023 2
IntelBroker, BreachedForums

But, as reported earlier by Cybernews, the data did include other sensitive information such as the customer subscriber ID, subscriber and account keys, full name and business name, account activation date, current cellular plan and price, device manufacturer and model, current balance, and whether the user is enrolled in autopay and/or has an insurance policy on their device.

Although Frey stated the customer information posted on the Breached site was out-of-date, there is no proof that those customers involved are not still active with UScellular – and therefore could be further compromised.

Many account details found in this customer database, may not have changed much if the breach happened more recently as the hacker claimed.

UScellular has not revealed to Cybernews the name of the third-party, or where and when the breach occurred – but did confirm the data was not from a previous breach the company suffered in December 2021.

“Also, I saw your reference to it being unclear if this is related to the December 2021 incident, and I wanted to clarify that these incidents are unrelated,” Frey wrote.

In the 2021 breach, 400 customers were exposed after the UScellular billing system was hacked.

The five day breach was discovered on December 19, notices were sent out to those customers on December 23. The story did not break until the first week of 2022.

ADVERTISEMENT

The UScellular data leak coincides with the now linked T-Mobile and Google Fi breaches announced last month.

The data of 37 million T-Mobile customers was compromised January 5 after suspicious activity was found in their network systems.

Three weeks later, Google Fi announced their customer data had also been exposed in connection with the T-Mobile breach.

US Cellular has been a primary network carrier for Google Fi since 2016, T-Mobile since 2015.

Because Frey described the third-party vendor relationship as "time-limited," the Cybernews team is still undecided if the UScellular hack could possibly be connected to the T-Mobile and Google Fi breaches without more information.

Cybernews can corroborate the number of accounts exposed in the leak is way less than the 144K claimed by the hacker, as we suspected in our original article.

Since then, our team was able to filter out the duplicate emails and found just over 30 thousand unique emails in the stolen database.