A man sued T-Mobile on Sunday, claiming that the company’s lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars.
Carlos Tapang of Washington state accuses T-Mobile of having “improperly allowed wrongdoers to access” his wireless account on November 7th last year. The hackers then cancelled his number and transferred it to an AT&T account under their control. “T-Mobile was unable to contain this security breach until the next day,” when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360.
After gaining control of his phone number, the hackers were able to change the password on one of Tapang’s cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims.
The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55.
Tapang goes on to say, “After the incident, BTC price reached more than $17,000.00 per coin,” but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.
The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang’s account prior to the incident, but didn’t actually implement it. Tapang also states that hackers are able to call T-Mobile’s customer support multiple times to gain access to customer accounts, until they’re able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.
Although the suit doesn’t detail how the hackers specifically were able to access Tapang’s account, The Verge has explored a similar Bitcoin-related heist in the past that also involved taking over phone numbers.
Tapang alleges he couldn’t use his cellphone number and had to “expend time, energy, and expense” and also suffered “emotional distress” from the incident, so he’s seeking damages and injunctive relief, which could order T-Mobile to enable more security measures. T-Mobile and Tapang’s lawyer, Boris Davidovskiy, could not be immediately reached for comment.