T-Mobile recently announced a data breach in which a hacker obtained personal information of 37 million current postpaid and prepaid customer accounts by exploiting one of its Application Programming Interfaces (APIs). APIs are software interfaces that allow applications and computers to communicate with each other.
Many online web services use APIs to allow their online apps or external partners to access internal data by providing the correct authentication tokens. T-Mobile did not specify how their API was compromised, but it is common for hackers to exploit flaws in APIs to retrieve data without proper authentication.
New T-Mobile data breach affects 37 million accounts
On Thursday, T-Mobile disclosed that the data breach began on November 25, 2022 and the attacker had been accessing the impacted API. The company detected the unauthorized activity on January 5, 2023, and immediately cut off the attacker’s access to the API on the following day.
T-Mobile also stated that the API that was targeted did not provide the attacker access to sensitive information such as driver’s licenses, government ID numbers, social security numbers/tax IDs, passwords/PINs, payment card information, or other financial account information of the affected customers.
“Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features. The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set,” stated T-Mobile.
In a separate statement, T-Mobile defined the data stolen in this attack as “basic customer information.” The company has reported the incident to relevant federal agencies in the US and is cooperating with law enforcement to investigate the breach. T-Mobile is also informing customers whose personal information may have been compromised as a result of the breach.
“We understand that an incident like this has an impact on our customers and regret that this occurred. While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile stated.
T-Mobile is suffering from data breaches since 2018
This is the eighth data breach that T-Mobile has disclosed since 2018. The latest incident is the first one reported in 2023, but the company has had seven other breaches since 2018, including one where attackers gained access to data of roughly 3% of all T-Mobile customers.
In 2019, T-Mobile exposed prepaid customers’ data and in 2020, unknown threat actors accessed T-Mobile employees’ email accounts.
In December 2020, unknown threat actors also gained access to customer proprietary network information (phone numbers, call records) and in February 2021, attackers accessed an internal T-Mobile application without authorization.
In August 2021, hackers breached T-Mobile’s network after a security breach of the carrier’s testing environments. Despite paying the attackers $270,000 through a third-party firm, T-Mobile failed to prevent the stolen data from being leaked online. The company also confirmed in April 2022 that the Lapsus$ extortion gang had breached its network using stolen credentials.