"Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software," T-Mobile told Krebs. "Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete." The company added the "systems accessed contained no customer or government information or other similarly sensitive information."
Lapsus$ initially accessed T-Mobile's internal tools by buying stolen employee credentials on websites like Russian Market. The group then carried out a series of SIM swap attacks. Those type of intrusions typically involve a hacker hijacking their target's mobile phone by transferring the number to a device in their possession. The attacker can then use that access to intercept SMS messages, including links to password resets and one-time codes for multi-factor authentication. Some Lapsus$ members attempted to use their access to hack into T-Mobile accounts associated with the FBI and Department of Defense but failed to do so due to the additional verification measures tied to those accounts.