T-Mobile disclosed that hackers stole addresses, phone numbers, and birthdates from 37 million customers, PayPal notified ~35,000 users that a credential stuffing attack exposed Social Security numbers and tax IDs, and a new Android banking malware called Hook emerged with full device takeover capability — allowing attackers to see your screen, control your device, steal crypto wallet seed phrases, and read your WhatsApp messages in real time.
Stories Covered
PayPal Credential Stuffing Attack Exposes SSNs and Tax IDs for 35,000 Users
PayPal distributed data breach notifications disclosing a credential stuffing attack that occurred December 6–8, 2022. Approximately 35,000 accounts were compromised. A credential stuffing attack does not exploit any vulnerability in PayPal’s systems: attackers take username and password combinations from previous data breaches elsewhere on the internet, automate login attempts against PayPal, and succeed wherever a victim reused the same password across multiple sites. PayPal confirmed it found no evidence of a flaw or misconfiguration on its own platform — the attack succeeded entirely because victims used the same credentials on PayPal that had already been exposed in other breaches. For affected accounts, attackers had access to names, dates of birth, Social Security numbers, addresses, and individual tax identification numbers — the categories of data useful for identity theft rather than just financial fraud. PayPal responded by resetting affected passwords, requiring a password change on next login, and offering affected users two years of Equifax identity monitoring. The defense is the same as it has always been: unique passwords for every account, managed via a password manager so the uniqueness is practical rather than theoretical. A credential stuffing attack cannot work against an account whose password is not reused anywhere else.
T-Mobile’s Latest Breach: 37 Million Customers, a Years-Long Pattern of Incidents
T-Mobile filed a report with the Securities and Exchange Commission disclosing a security breach affecting approximately 37 million customers. The stolen data included addresses, phone numbers, and dates of birth; T-Mobile stated that passwords, PINs, credit card numbers, Social Security numbers, and bank account information were not accessed. The breach occurred in late November 2022. This disclosure is notably the sixth T-Mobile security incident in roughly four years. In August 2018, a vulnerable API exposed data on 2 million customers. In November 2019, roughly 1 million prepaid customers had account information stolen. In March 2020, hackers breached an employee email account to access customer data. In January 2021, an incident exposed SIM swap-adjacent account data. In August 2021, the worst incident to date exposed names, driver’s license numbers, Social Security numbers, birthdates, prepaid PINs, addresses, and phone numbers for millions of customers — discovered only after a hacker posted the dataset for sale on an underground forum. The current incident adds addresses, phone numbers, and birthdates to what attackers already hold from prior incidents. Even absent financial data, the combination of name, address, phone number, and birthdate is sufficient to enable targeted phishing, SIM swapping, and identity theft operations against affected customers. A carrier that has experienced six security incidents in four years represents a systemic risk for its customers regardless of what specific data categories any single incident exposed.
Hook: New Android Banking Malware With Device Takeover, Crypto Wallet Theft, and WhatsApp Access
ThreatFabric researchers analyzed Hook, a new Android banking malware advertised by its creator, Duke Eugene — the same actor behind ERMAC. Hook was marketed as written from scratch and representing a new generation of capability, though ThreatFabric found the code shares substantial architecture with ERMAC. What is genuinely new in Hook is the combination of capabilities that places it at the same threat tier as Hydra and Octo, the two most dangerous Android banking malware families in terms of device control. Hook adds Virtual Network Computing support, allowing operators to see the victim’s screen in real time, and abuses Android Accessibility Services to interact with UI elements — clicking buttons, filling in text fields, navigating applications. The combination of screen viewing and UI control constitutes a full device takeover: anything a person with physical access to the device could do, Hook can do remotely. Communication with the command-and-control server uses WebSockets rather than the polling method used by older malware families, enabling real-time bidirectional communication that allows operators to issue commands and receive responses without waiting for the next polling interval. Beyond standard device takeover capabilities, Hook can extract seed phrases from cryptocurrency wallets — the recovery phrase that allows anyone who has it to recreate the wallet and drain its contents — and can read and send messages from WhatsApp. Hook is being rented by Duke Eugene as malware-as-a-service. For Android users: avoid sideloading applications outside the Google Play Store, keep Android security updates current, and review which apps have been granted Accessibility Service permissions — legitimate apps rarely need this and malware consistently abuses it.





