> Still, the biggest issue here is how this person (or multiple people) obtained the employee phone numbers. We’re not sure yet which employees are impacted, but based on comments online it seems at least a few third-party employees are affected, and we’ve independently confirmed current corporate employees have also received the message.
Sadly, the idea that phone numbers of people are private should be considered laughable at this point. There is LinkedIn, and even if you're not directly connected to someone it would be easy to correlate publicly available LinkedIn data to phone number data.
I'm curious how that feature works on the backend. If the premise is employees abusing internal access to fiddle account data, and the feature can be toggled on an account page, can't the insider abuse a password reset flow, toggle the setting off, then proceed as normal? I'm assuming that there's some "customer walks into store and needs to reset their password" functionality employees can access. Maybe a mandatory waiting period?
I had to deal with this recently. Basically, they put a hold on the account. The request is forwarded to another internal department for verification. Once verification is complete and the team determines the request is not fraudulent (asking for "verification pin" or "account password"). Then the request is forwarded to the appropriate tech team for further processing.
SMS and calling was blocked during that entire time (~24-36 hrs) since the backend teams are likely operating in offshore timezones.
> Still, the biggest issue here is how this person (or multiple people) obtained the employee phone numbers. We’re not sure yet which employees are impacted, but based on comments online it seems at least a few third-party employees are affected, and we’ve independently confirmed current corporate employees have also received the message.
Sadly, the idea that phone numbers of people are private should be considered laughable at this point. There is LinkedIn, and even if you're not directly connected to someone it would be easy to correlate publicly available LinkedIn data to phone number data.
Also, note that TMobile explicitly provides a "SIM Protection" feature, https://www.t-mobile.com/support/plans-features/sim-protecti.... Why this isn't enabled for everyone by default I don't know.