T-Mobile disclosed a new data breach after a threat actor stole the personal account information of 37 million of its current postpaid and prepaid customers through one of its application programming interfaces (APIs).
An API is a software interface or mechanism that is usually used by programs or computers to communicate with each other.
Many online web services use APIs to allow their web applications or external partners to read internal data as long as they pass the appropriate authentication tokens.
While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to read data without authentication.
New data breach affects 37 million accounts
T-Mobile revealed Thursday that an attacker began stealing data using an affected API around 2022. November 25 The mobile operator detected the malicious activity in 2023. on January 5, and a day later terminated the attacker’s access to the API.
The company said that the misuse of the API in this security breach prevented an attacker from accessing affected customers’ driver’s licenses or other government ID numbers, social security numbers/taxpayer numbers, passwords/PINs, payment card information (PCI) or other financial. Account info.
“Rather, the affected API is only able to provide a limited set of customer account data, including first name, last name, billing address, email address, etc. email address, phone number, date of birth, T-Mobile account number, and information such as the number of lines on your account. and plan features,” T-Mobile said.
“The preliminary result of our investigation indicates that the bad actor(s) obtained data from this API on approximately 37 million users. of current postpaid and prepaid customer accounts, although many of these accounts did not include the full data set.
The company described the data stolen in the attack as “key customer information” in a separate press release.
T-Mobile reported the incident to US federal agencies and is now working with law enforcement to investigate the breach.
The carrier is also now notifying customers whose sensitive personal information may have been stolen as a result of the breach.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that a bad actor may have compromised our systems or network, or compromised their system,” T-Mobile said.
Eighth T-Mobile data breach since 2018
While this is the first breach that T-Mobile has disclosed since the beginning of the year, since 2018 the carrier disclosed seven more data breaches, including one in which attackers gained access to approximately 3% of all T-Mobile customer data.
in 2019 T-Mobile has revealed data on prepaid customers. in 2020 March. Unknown threat actors also accessed T-Mobile employee emails. mail accounts.
in 2020 December. unknown threat actors also gained access to customers’ proprietary network information (phone numbers, call records), and in 2021. February. attackers accessed an internal T-Mobile application without permission.
In a few months, in 2021 In August, hackers brutally broke into T-Mobile’s network, breaching the operator’s testing environment.
After 2021 August. the breached carrier failed to stop the stolen data from leaking online, despite paying the attackers $270,000 through a third-party company.
Last but not least, 2022. in April, the company also confirmed that the Lapsus$ extortion gang hacked the network using stolen credentials.