T-Mobile announced that a cybercriminal stole the personal information of 37 million contract and prepaid customers through one of its application programming interfaces (APIs).
The company revealed that the attacker started stealing data using an API around Nov 25, 2022. The company detected the malicious activity on January 5, 2023 and cut off the attacker’s access to the API a day later.
T-Mobile claims that the API abused in this breach did not allow the attacker to access affected customers’ ID or other official identification numbers, social security numbers/passwords/PINs, payment card number (PCI) information, or other financial account information.
The affected API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as lines in the account and plan resources.
The preliminary result of our investigation indicates that the malicious actor or actors obtained data from this API for approximately 37 million existing postpaid and prepaid customer accounts, although many of these accounts did not include the full set of data.
T-Mobile reported the incident to US federal agencies and is now working with law enforcement to investigate the breach.
the company too is now notifying customers that their sensitive personal information may have been stolen as a result of this gap.
Our investigation is ongoing, but the malicious activity appears to be fully contained at this time and there is no evidence that the malefactor was able to breach or compromise our systems or network.
While this is the first breach disclosed by T-Mobile since the start of the year, the mobile operator has revealed six other data breaches since 2018, including one where attackers gained access to the data of about 3% of all T-Mobile customers. . customers.