T-Mobile is the most recent victim of a data breach, as it has announced an unauthorized capture of customer information believed to affect about 2 million T-Mobile and Metro PCS customers. T-Mobile says all affected customers have been notified about the breach and the company has created a page on its site summarizing the details surrounding the incident. To help you understand how this breach might impact you, we’re detailing what happened and discussing some of the implications that this breach could have for victims going forward.

What happened?

T-Mobile has been relatively sparse on details surrounding the incident, but earlier this month on Aug. 20, the company says its cybersecurity team discovered “unauthorized capture” of some data from its systems. Among the captured data is information associated with user accounts, though the company was quick to add that no financial data or social security numbers were taken in the breach. From what we know, victims of the breach had their names, email addresses, account numbers, billing zip code, phone number and account type (prepaid or postpaid) exposed. It was also later revealed that “encrypted passwords” were also among the stolen data, but the company insists that the passwords are hashed, suggesting they can’t be readily decrypted and used.

What is T-Mobile doing about the breach?

It isn’t clear if T-Mobile intends to compensate victims of this particular breach, as the page devoted to explaining the incident makes no mention of complimentary identity theft protection or any other forms of additional support for consumers outside of T-Mobile’s own customer services. Additionally, while T-Mobile has ensured something like this won’t happen again, there’s evidence suggesting that the company didn’t do everything it could have done to prevent this incident from happening. Namely, the company didn’t bother to mention the exposure of the passwords in its initial announcement. It took pressing questions from the news outlet Motherboard to reveal this information. The company also didn’t disclose what type of encryption was used to create the hashes that were taken in the breach. This is worth noting because older, weaker forms of encryption can be just as bad as leaving the passwords unencrypted. Speaking to Motherboard about the issue, Nicholas Ceraolo, a security researcher unaffiliated with T-Mobile, claimed to have seen the stolen data. Based on the information he shared, some experts are saying that any exposed hashed or encrypted passwords from this breach can likely be decrypted with existing technology because T-Mobile might not have used the most recent standard of encryption on these passwords. This is not unlike what happened during the 2013 Yahoo breach.

Why is this breach concerning?

With breaches pretty much happening all the time, it’s hard not to tune out, especially when financial information hasn’t been compromised. Although this breach might not seem like that big of a deal, there are some reasons to be concerned, as the information hackers did get away with could mean that consumers aren’t going to get off easy. What’s important to note is that this specific breach is merely one out of several breaches and security vulnerabilities affecting T-Mobile in the past few years, potentially indicating that the company (as well as other companies in the industry) could have a security problem.

What’s more, this hack comes right on the heels of reports discussing an increase in phone porting (also known as SIM swapping) and related fraud. These scams allow hackers to take over a cell phone carrier account and receive the calls and messages sent to someone’s number. While phone porting has always existed, it’s grown in popularity over the past few years because cell phones have unintentionally become one of the primary keys of personal security. Many people provide the same phone number across various services and use their number for two-factor authentication. By using phone porting to hijack a victim’s phone number, a hacker can likely break into their other accounts. The information taken from T-Mobile’s systems will likely aid those seeking new cell phone carrier accounts to break into.

What should I do to protect myself?

While the harms of breaches can’t completely be prevented, it is possible to lessen the severity of the fallout. Here are some of the things you should consider if you were notified of the T-Mobile breach or are an otherwise concerned T-Mobile or Metro PCS customer:

1. Change your password and T-Mobile PINs. Since passwords were included in the breach, you should change your account password immediately. Despite T-Mobile’s reassurances that the passwords are hashed or encrypted, there is the possibility that they can be decrypted. Remember that if you use the same password across multiple accounts, something we don’t recommend, you’ll want to make sure those passwords are also changed. Additionally, while there are no reports of T-Mobile phone support PINs being compromised, it might not be a bad idea to change those too.

2. Stop using SMS-based two-factor authentication. We’ve always been big proponents of using two-factor authentication for personal security, but in a post earlier this year, we distinguished between different types of two-factor authentication and highlighted that SMS-based authentication, which uses your cell phone number, might not be as secure. Threats like phone porting/SIM swapping only worsen the risk of account takeovers and identity theft, making it urgent that you consider another form of two-factor authentication like app-based ones or security keys.

3. Read up on phone porting/SIM swapping. It’s very likely that information from the recent T-Mobile breach was either intended to or can be used in phone porting campaigns. That’s why you’ll want to check out our guide to phone porting, so you know how to protect yourself.

4. Monitor your other accounts. You should monitor your other accounts, including bank accounts, social media accounts and more, in case information from this breach can be used in attempts to access these accounts. You can do this by beefing up the security of these accounts and ensuring that the service sends you notifications when your settings and preferences change, a feature offered by most online services.

5. Consider identity theft protection. While identity theft protection can’t prevent leaks, it can notify you if and where your information is being used on black market websites, public records, your credit reports and more.

For more information about the T-Mobile breach and other data breaches that impact you, keep reading our data breach blog.