The hacker who claims responsibility for stealing more than 50 million customer records from T-Mobile has spoken out, calling the company's security 'awful'.
John Binns, a 21-year-old American hacker living in Turkey, told the Wall Street Journal that he had used an unprotected router to access personal records of T-Mobile customers.
Binns, who provided screenshots and evidence to back up his claim, said that the entry point allowed him to hack into the company's data center in Washington state, where stored credentials allowed him to access more than 100 servers.
'I was panicking because I had access to something big,' he told the newspaper. 'Their security is awful.'
T-Mobile CEO Mike Sievert is seen above. The hacker who claims responsibility for stealing more than 50 million customer records from T-Mobile says the company's security is 'awful'
T-Mobile did not immediately respond to a request for comment from DailyMail.com on Thursday.
The company said in a statement last week that it had 'located and immediately closed the access point that we believe was used to illegally gain entry to our servers.'
Binns told the Journal that he was coming forward publicly in order to draw attention to his perceived persecution by the US government, claiming that he had been abducted in Germany and placed in a fake mental hospital.
'I have no reason to make up a fake kidnapping story and I'm hoping that someone within the FBI leaks information about that,' he explained.
A relative in the US confirmed that Binns called on the telephone last year, claiming to be a computer expert and saying he had been taken to a hospital against his will.
His abduction claims were detailed in lawsuits Binns filed against the Central Intelligence Agency, Federal Bureau of Investigation and other federal agencies. Binns brought the legal actions without the aid of an attorney.
Binns alleged in a lawsuit that 'CIA contractors' wearing night-vision goggles had been spying on his home from nearby apartments in this neighborhood in Turkey
In a lawsuit against the CIA, Binns provided this sketch of an alleged 'neurotoxic gas room' in a purported CIA black site disguised as a mental health facility in Germany
In one lawsuit reviewed by DailyMail.com, he accused the CIA of attempting to get him 'extra-judicially killed' by Turkish authorities by falsely accusing him of being a member of ISIS.
Binns alleged in the suit that 'CIA contractors' wearing night-vision goggles had been spying on his home from nearby apartments, and claimed that the spy agency had bribed his friend to inform on him by paying him with a pound of heroin.
The suit further alleges that Binns had suffered harassment at the hands of the CIA including 'gangstalking,' 'microwave directed energy devices,' 'psychotronic weapons,' and 'neurotoxic gas rooms.'
The lawsuit claimed that Binns had been abducted by 'fake Bavarian State Police officers' at the Munich Airport and taken to a 'fake mental hospital building' in July 2019.
That suit was dismissed by a judge, while others are still pending. The agencies denied his allegations in court filings.
Binns confirmed his identity to the Journal by answering personal questions, and provided details of the T-Mobile breach before they were made public.
T-Mobile has confirmed that more than 50 million customer records were breached, including information such as social security numbers and drivers license information
He grew up in northern Virginia with his Turkish mother and attended McLean High School. His father died in 2002 when Binns was two, contemporary news accounts show.
Binns was estranged from his father's family and moved to Izmir, Turkey with his mother soon after his 18th birthday.
Security researchers told the Journal that several online profiles tied to Binn are associated with groups of young gamers who use botnets of infected devices to knock other people or websites offline.
His online aliases include the names IRDev and v0rtex.
Binns said that the hack of T-Mobile was surprisingly easy. He said he found the unprotected router by scanning T-Mobile's known internet addresses for weak spots using a simple tool available to the public.
Once inside, he said it took about a week to access the servers that contained personal data about the carrier's millions of current and former customers.
The breach first came to light when hackers began offering the customer data for sale on the dark web. Binns declined to say whether he had sold any of the stolen data.
T-Mobile has confirmed that more than 50 million customer records were breached, including information such as social security numbers, drivers license information, and IMEI device serial numbers.
The breach has been a major black eye for the carrier, which became the second largest phone company in the country after last year's merger with Sprint.
T-Mobile has already begun informing affected customers if their data was stolen, and suggests customers regularly reset PINs and passwords.
However T-Mobile says it has no information indicating passwords, postpaid PIN numbers, or financial or payment information have been compromised.
The company is offering two years of identity protection services with McAfee's ID Theft Protection Service and has recommended eligible T-Mobile customers sign up for 'scam-blocking protection' through Scam Shield.
Some T-Mobile customers sued the company for damages last Thursday night in Seattle federal court, saying in a proposed class action that the cyberattack violated their privacy and exposed them to a higher risk of fraud and identity theft.
The Seattle field office of the FBI is investigating the breach.
