John Binns seems to be an unusually chatty cybercriminal. The Wall Street Journal reports that Binns—a 21-year-old US citizen who lives in Turkey—has claimed responsibility for a massive T-Mobile data breach, saying he was able to steal data on more than 50 million customers because "their security is awful." He said he scanned the network for weak spots and hacked into a company data center through an unprotected router. The Journal says it communicated with Binns through the encrypted Telegram app, and he showed them he had access to an account that had shared screenshots of entry to the network. He said one reason for the hack was to "generate noise." Binns claimed to have been persecuted by US authorities. He said he was kidnapped in Germany last year and put in a fake mental hospital.
"I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that," he said. Binns—who has been linked to hacking activity in the past, including botnet attacks launched by groups of young gamers—declined to say whether he sold the stolen data. Security researchers say the same account he used to prove that he had hacked T-Mobile tried to sell the data to criminals before the hack was public knowledge. The Verge reports that Binns sued the CIA and other agencies last year, demanding to be told what information they had on him and claiming, among other things, that they had attacked him with "psychic and energy weapons."
T-Mobile, which had two smaller data breaches last year, declined to comment on Binns' claims. If his account is true, the ease of the attack, which may have put tens of millions of people at risk of fraud, is "frightening," Engadget notes. The company says the security hole has now been closed and no financial information was stolen. Those affected have been offered two years of free identity protection services. (Read more T-Mobile stories.)