T-Mobile announced a new data breach after a threat actor used one of its Application Programming Interfaces to steal personal data from 37 million active postpaid and prepaid customer accounts (APIs).

37 Million Accounts Impacted

On Thursday, the telecommunication giant T-Mobile revealed that it detected malicious activity on January 5, 2023. The attacker started stealing data using an API in November of last year. The company cut off the attacker’s access to the API one day after discovering the activity, on January 6th.

According to the organization, the API that was misused in this security compromise did not give the attacker access to the affected customers’ social security numbers, tax identification numbers, passwords, PINs, payment card information (PCI), or other financial account information.

The impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.

T-Mobile (Source)

Based on a preliminary assessment of the attack’s impact, approximately 37 million current postpaid and prepaid customer accounts were affected, although many of the accounts did not include the full data set.

The carrier has begun the process of notifying the customers affected by the breach and has reported the incident to the responsible U.S. federal agencies.

T-Mobile is now working with law enforcement to investigate the breach. The company declared that at the moment there is no clear evidence suggesting that the threat actor was able to also breach or compromise the company’s systems or network.

Not The First Time

This is not the first time T-Mobile was under the attack of threat actors. In fact, according to BleepingComputer, it’s the eighth time since 2018 that this happened. A notable mention happened in August 2021, when the data of 100 million T-Mobile customers were stolen, leading to a settlement of $350 million being discussed.

Another more recent breach happened in April 2022, when the Lapsus$ extorsion group breached T-Mobile’s network using stolen credentials.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

API Vulnerabilities: What Are These and How to Protect your Business Against Them

Lapsus$ Hacking Group Allegedly Behind the Uber Security Breach

What Is a Data Breach and How to Prevent It

T-Mobile Data Breach: Hackers Say They Stole 100 Million Customer Data

Leave a Reply

Your email address will not be published. Required fields are marked *