A consolidated database allegedly containing 52 million T-Mobile USA customer records and 6 million legacy Sprint subscriber records surfaced for sale on a prominent dark web hacker forum on May 21, 2026. The threat actor has set a fixed buyout price of $250,000 USD, with transactions routed exclusively through the forum's trusted "Garant" escrow system. The listing was validated on monitored underground channels and represents one of the most significant U.S. telecommunications exposures observed in 2026.
What Happened
On May 21, 2026, a threat actor publicly listed a monolithic, cross-organizational consumer database on a prominent Russian-language cybercrime forum, claiming origin from the integrated backend systems of T-Mobile USA. The seller has structured the offering as a fixed-price, single-buyer transaction at $250,000 USD, deliberately bypassing peer-to-peer trades by mandating use of the forum's Garant escrow service. This professionalized monetization strategy signals an intent to attract organized cybercrime syndicates and automated fraud networks rather than opportunistic resellers. The unified structure of the leaked sample, blending two distinct subscriber populations into a single relational schema, suggests compromise of a centralized historical data warehouse, a post-merger integration backup mirror, or a legacy cloud storage repository established during T-Mobile's corporate absorption of Sprint.
What Was Taken
The advertised archive totals approximately 58 million consumer lines distributed across two carrier brands:
- 52 million T-Mobile USA customer records
- 6 million legacy Sprint subscriber records
- Mobile Directory Numbers (MDN) providing direct cellular phone identifiers
- Account numbers and core carrier mapping data
- Subscriber identity records compiled during the Sprint integration period
The combined dataset functions as a comprehensive consumer blueprint, pairing phone numbers with account-level identifiers that can be cross-referenced against existing breach corpora to enrich targeting profiles for downstream fraud operations.
Why It Matters
T-Mobile is the second-largest wireless carrier in the United States, supporting more than 100 million active subscribers and serving as critical infrastructure for SMS-based authentication, mobile banking transactions, and device-level identity verification. A breach of this magnitude provides adversaries with the raw material for SIM-swap operations at industrial scale, targeted smishing campaigns, MFA bypass attacks against banking and cryptocurrency platforms, and account takeover fraud against any service that relies on phone-number-based recovery flows. The inclusion of legacy Sprint records is particularly significant because those subscribers may have moved on to new carriers without their historical identifiers being rotated, leaving residual exposure that bypasses current T-Mobile security controls.
The Attack Technique
The seller has not publicly disclosed the intrusion vector, but the unified two-brand schema points to compromise of shared infrastructure rather than a current-generation production system. Likely candidates include a centralized historical data warehouse retained for compliance or analytics purposes, a post-merger integration backup mirror created during Sprint absorption, or a legacy cloud storage bucket left in place after the migration completed. This pattern aligns with prior T-Mobile incidents in which exposed API endpoints, misconfigured cloud storage, and forgotten legacy systems served as the entry vectors. The use of Garant escrow further indicates the actor has access to a complete, verifiable dataset and is confident in the sample's authenticity surviving buyer-side validation.
What Organizations Should Do
- Treat any customer phone number originating from T-Mobile or legacy Sprint accounts as potentially compromised and apply elevated scrutiny to SMS-based authentication flows
- Audit and inventory legacy data warehouses, post-merger backup mirrors, and cloud storage repositories for stale or duplicate subscriber data that should be purged or re-secured
- Shift high-value account recovery and MFA flows away from SMS toward FIDO2, passkeys, or authenticator applications
- Implement carrier-side SIM-swap protections and port-out PINs for executives, finance staff, and other high-value targets
- Monitor for smishing campaigns referencing T-Mobile or Sprint account details and prepare customer-facing advisories
- Coordinate with fraud and identity teams to add the affected MDN ranges to elevated-risk monitoring and require step-up authentication for sensitive transactions
Sources: 52 Million T-Mobile & 6 Million Sprint Consumer Lines Auctioned for $250,000