Credential-Stuffing Account Fraud on T-Mobile
Attackers use email-and-password combinations from unrelated data breaches to log in to My T-Mobile accounts, enabling SIM swaps, fraudulent device upgrades, or line additions charged to the victim.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
T-Mobile's My T-Mobile portal is the gateway to subscriber accounts — billing, device management, SIM swapping, and line additions all flow through it. When an attacker credential-stuffs a My T-Mobile account successfully, they can make account changes that have far-reaching consequences, from porting the victim's number to a new SIM to ordering expensive devices on the victim's account and contract.
T-Mobile's own significant data breaches in recent years have placed additional subscriber data in circulation, meaning that attackers conducting credential stuffing against T-Mobile accounts may also already hold partial account information that could help defeat security questions or validate the account during a change request.
The scale of T-Mobile's subscriber base and the portal's range of account management features make it a particularly high-value target for credential-stuffing attacks.
How this scam works on the T-Mobile brand
After logging in to a My T-Mobile account through credential stuffing, the attacker assesses the account for its most valuable exploit. If the account has a high credit limit, they may add a new line or upgrade a device on a new contract, shipping the device to a mule address. If the account holder is a target for a SIM swap, they initiate the port from within the authenticated portal, bypassing agent-level social engineering.
Some attackers change the account email and PIN to lock the legitimate owner out before making changes. Others operate silently, making one change — initiating a SIM swap — and logging out before triggering any alert. The victim only discovers the fraud when their phone loses service.
Fraudulent device upgrades may take weeks to appear on a bill, by which time the attacker has received and resold the device. The victim faces an unexpected contract obligation and device charges for hardware they never received.
Common red flags
- A My T-Mobile login alert arrives from an unfamiliar device or location
- Your T-Mobile bill includes charges for a new device or additional line you did not order
- Your phone loses mobile service unexpectedly, indicating a SIM change may have been made through the portal
- Your My T-Mobile account email or PIN has been changed without your action
- You receive a package containing a new device or SIM card you never requested
- T-Mobile texts confirm account changes you did not initiate
How to protect yourself
- Use a unique, strong password for My T-Mobile that is not used on any other service
- Enable T-Mobile NOPORT and account SIM lock in My T-Mobile settings
- Set up T-Mobile account alerts so any change triggers an immediate notification
- Check haveibeenpwned.com for your email address and update all reused passwords
- Use an authenticator app for My T-Mobile two-factor authentication rather than SMS alone
- Review your T-Mobile bill monthly for unexpected device, line, or data charges
How to report it
- Report account fraud to T-Mobile at 1-800-937-8997 or via the My T-Mobile portal under Account Help
- File a complaint with the FTC at reportfraud.ftc.gov
- Report to the FBI at ic3.gov if fraudulent device orders resulted in financial loss
- Contact T-Mobile to dispute any fraudulent device contracts or line additions on your account
Frequently asked questions
Can a credential-stuffed My T-Mobile login enable a SIM swap?
Yes. An attacker authenticated in My T-Mobile can initiate a SIM change online, which is why enabling NOPORT and account SIM lock is important — these features require additional verification beyond a simple logged-in session.
What can a fraudster do with my T-Mobile portal access?
Depending on account settings: change your SIM, add new lines, upgrade devices on credit, change your PIN and notification email, or access your billing history and payment methods.
T-Mobile experienced breaches. Should I assume my account data is compromised?
Treat your My T-Mobile password as potentially exposed if you have been a subscriber since any of T-Mobile's breach periods. Change your password, enable NOPORT, and switch to an authenticator app for two-factor authentication.