API Attacker Steals Data on 37 Million T-Mobile Customers

Written by

T-Mobile has admitted that tens of millions of customers had their personal and account information accessed by a malicious actor via an API.

The US mobile carrier explained in an SEC filing yesterday that the attack began “on or around” November 25 2022, but was not discovered until January 5 2023, after which time T-Mobile contained and remediated the incident within a day.

Among the information compromised by the threat actor were customer names, billing and email addresses, phone numbers, dates of birth, T-Mobile account numbers and information such as the number of lines on the account and plan features.

T-Mobile sought to play down the seriousness of the breach in a related statement, claiming that “nearly all” of the info stolen “is the type widely available in marketing databases or directories.”

That misses the point slightly in that large troves of data like this provide a readymade profile on each customer for scammers to use in follow-on phishing and identity fraud attempts.

“No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised,” T-Mobile added in its statement.

“Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.”

It’s unclear exactly what kind of API flaw was exploited by the threat actors, or why it took nearly a month and a half for the carrier to detect the breach.

Ivan Novikov, CEO and co-founder of Wallarm, argued that organizations should regularly review and update their security systems, policies and capabilities, and have incident response plans in place.

“As organizations continue to accelerate their digital transformation efforts and leverage more and more APIs, it's crucial that they have the right tools and expertise in place to protect their sensitive data,” he added.

“Unauthorized access through a single API can lead to a significant data breach.”

Editorial credit icon image: nikkimeel / Shutterstock.com

What’s hot on Infosecurity Magazine?