How to get your life hacked (with a little help from T-Mobile)

The 2-step verification didn’t fail… but T-mobile did.

I woke up this morning in sunny LA, a little annoyed by the fact that my phone is not working. Of course, I blamed my old iPhone first.

5 minutes later trying to check my Gmail I realized my password is no longer valid. That’s how everything escalated.

In the next couple of minutes, I’ve realized that somebody gained access to all my Gmail accounts, my Dropbox accounts and who knows what more. Thankfully I used the option (last password) in Gmail and gained access to my accounts again. I’ve changed my passwords everywhere but I had to go to the bottom of the problem called… 2-step verification.

Turns out somebody has gained access to my phone number and now control it. It means whatever they want to do with my accounts it’s just to try to change my passwords and actually do it by entering the verification code sent to my number (which they now control).

I ran really quick to the first T-mobile store in Los Angeles to get a new sim card and gain back the control on my account. I asked the guys there for additional info and what actually has happened. And here is the funny part.

9:30 — Someone, who pretends to be me is going into T-mobile store in New York (while I’m in LA). They show some form of ID, get verified by the T-Mobile store representative and transfer my phone number on their name. With a new SIM in their hands they start stealing my digital identity.

9:41 — They change my primary Gmail account password.

9:53 — They change my secondary Gmail account password.

10:00–10:40 — In 40 minutes they do some activities with my accounts and clear the tracks by permanently deleting the traces and emails that were sent or received on my accounts. This emails cannot be recovered by Gmail.

Around 12:00 — I successfully gained the control back on my phone number by going to the T-mobile store.

I contacted T-Mobile and I am waiting for their fraud team to get in contact with me, hoping that no one will get possession on my account again.

It’s interesting that:
— I have the name of the person that did that (from the T-mobile records)
— I have the ID of the store that allowed them to do this fraud. (In the records they say changed my account by presenting ID, but I was in Los Angeles, while all this happened in New York)
— In a couple of minutes, my account was visited from multiple devices across US (Chicago, Florida, New York).
— Most likely they performed other illegal activities I am not aware of
— Most likely they’ve downloaded all the information I have on my Gmail accounts already.

Now I am looking for some legal help to file a complaint against the T-Mobile representative store that gave away my information. Any ideas what I should do next?

Maybe go to the police? Contact attorney?

P.s. I will keep you posted with the story.