T-Mobile has disclosed a new data breach after a malicious actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its application programming interfaces (APIs).

An API is a software interface or mechanism commonly used by applications or computers to communicate with each other.

Many online web services use APIs so that their online applications or external partners can retrieve internal data as long as they pass the correct authentication tokens.

Although T-Mobile has not shared how its API was exploited, threat actors typically find flaws that allow them to scrape data without authenticating first.

New data breach affects 37 million accounts

T-Mobile revealed on Thursday that the attacker began stealing data using the impacted API around November 25, 2022. The mobile operator detected the malicious activity on January 5, 2023 and shut down the attacker’s access to the API one day later.

The company said the API abused in this security breach did not allow the attacker to access affected customers’ driver’s licenses or other government identification numbers, social security numbers/tax IDs, passwords/PINs, payment card information (PCI) or other financial information. account information.

“Instead, the impacted API can only provide a limited set of customer account data, including name, billing address, email, phone number, date of birth , T-Mobile account number, and information such as the number of lines on the account and plan features”, T-Mobile said.

“The preliminary result of our investigation indicates that the malicious actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, although many of these accounts do not include the full dataset. “

The company described the data stolen in this attack as “basic customer information” in a separate press release.

T-Mobile has reported the incident to US federal agencies and is currently working with law enforcement to investigate the breach.

The carrier is also now notifying customers whose sensitive personal information may have been stolen as a result of this breach.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor may have breached or compromised our systems or network,” T- said. Mobile.

T-Mobile’s eighth data breach since 2018

Although this is the first breach disclosed by T-Mobile since the start of the year, the mobile operator has disclosed seven other data breaches since 2018, including one where attackers gained access to data. of about 3% of all T-Mobile customers.

In 2019, T-Mobile exposed data of prepaid customers. Unknown threat actors too accessed T-Mobile employee email accounts in March 2020.

In December 2020, unknown threat actors also gained access to customer’s proprietary network information (phone numbers, call records)and in February 2021, attackers accessed an internal T-Mobile application without authorization.

A few months later, in August 2021, hackers brutally forced their way through T-Mobile’s network after a violation of carrier test environments.

After the August 2021 breach, the carrier failed to prevent the leaking of stolen data online, even though he paid the attackers $270,000 through a third party company.

Finally, the company also confirmed in April 2022 that the Lapsus dollar extortion gang had hacked his network using stolen credentials.