T-Mobile hacks API data breach to steal 37 million account data

T-Mobile reported a data breach following the theft by a threat actor of personal information from 37 million customer accounts. The attacker used one of its Application Programming Interfaces.

A software interface (or mechanism) is used to allow applications and computers to communicate.

Most online services make use of APIs to allow their apps and external partners to retrieve internal data, provided they have the correct authentication tokens.

Although T-Mobile didn’t share the details of how their API was used, threats actors often find vulnerabilities that enable them to access data even without authentication.

37,000 accounts affected by a new data breach

T-Mobile announced on Thursday that an attacker began stealing data from the API affected around November 25, 2022. T-Mobile detected malicious activity and blocked the attacker from accessing the API on January 5, 2023.

According to the company, the API used in the security breach was not used by the attacker to access affected customers’ drivers’ licenses and other government ID numbers as well as social security numbers/tax ID numbers or passwords/PINs. The API also did not permit the attacker to obtain payment card information (PCI), or any other financial account details.

T-Mobile stated that the API is unable to access limited customer data such as name, billing address and date of birth. It also has information like the account number, plan details and the number of lines.

Our preliminary investigation revealed that data was obtained from the API by the bad actor for about 37 million customer accounts. However, many accounts didn’t include all of the data.

In a separate , the company stated that data taken in the attack was “basic customer information”.

T-Mobile reported the incident U.S. Federal agencies. T-Mobile is currently working with law enforcement on the investigation.

Customers who may have their personal data stolen by the carrier are being notified now.

T-Mobile stated that although the investigation remains ongoing, the malign activity seems to have been contained. There is no evidence to suggest that the bad actor could breach our networks or systems.

T-Mobile Data Breach: Eighth since 2018.

This is not the first T-Mobile data breach since January 1, 2018, but the mobile carrier disclosed seven more data breaches in 2018 including an attack where hackers gained access to the data of approximately 33% of T-Mobile customers .

T-Mobile in 2019. In March 2020, unknown threat actors .

Unknown threat actors gained access to customers’ proprietary network information (phone numbers and call records) in December 2020. In February 2021 attackers also accessed without authorisation.

After a , hackers in August 2021.

The August 2021 data breach resulted in the carrier failing to prevent the theft of the information from going online, even though by the carrier through a third party firm.

Last, but not least: The company confirmed that Lapsus$’ extortion gang with stolen credentials in April 2022.