T-Mobile hacked to steal data of 37 million accounts in API data breach

T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).

The company revealed Thursday, the 19th, that the attacker started stealing data using the impacted API around November 25, 2022. The mobile carrier detected the malicious activity on January 5, 2023, and cut off the attacker’s access to the API one day later.

T-Mobile says the API abused in this security breach did not allow the attacker to gain access to affected customers’ driver’s licenses or other government ID numbers, social security numbers/tax IDs, passwords/PINs, payment card information (PCI), or other financial account info.

“Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features,” the company said.

“The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.”

The company described the data stolen in this attack as “basic customer information” in a separate press release.

T-Mobile has reported the incident to U.S. federal agencies and is working with law enforcement to investigate the breach.

The carrier is also now notifying customers who might have had their sensitive personal information stolen due to this breach.

T-Mobile hit by multiple breaches since 2018

While this is the first breach disclosed by T-Mobile since the start of the year, the mobile carrier has disclosed six other data breaches since 2018, including one where attackers gained access to the data of roughly 3% of all T-Mobile customers.

In 2019, T-Mobile exposed prepaid customers’ data. Unknown threat actors also accessed T-Mobile employees’ email accounts in March 2020.

In December 2020, unknown threat actors also gained access to customer proprietary network information (phone numbers, call records), and in February 2021, attackers accessed an internal T-Mobile application without authorization.

Several months later, in August 2021, hackers brute-forced their way through T-Mobile’s network after a breach of the carrier’s testing environments.

After the August 2021 breach, the carrier failed to stop the stolen data from being leaked online even though it paid the attackers $270,000 through a third-party firm.

Last but not least, the company also confirmed in April 2022 that the Lapsus$ extortion gang had breached its network using stolen credentials.

Source: BleepingComputer