T-Mobile hacked and personal information of 37 million current postpaid and prepaid customer accounts were stolen through one of its Application Programming Interfaces (APIs). This happens to be the eighth data breach since 2018.
T-Mobile was not explicit on how the attack happened. However, T-Mobile revealed on Thursday that the attacker started stealing data using the impacted API around November 25, 2022. They did detected the malicious activity on January 5, 2023 and cut off the attacker’s access to the API a day later.
An API is a software interface used by applications or computers to communicate with each other. With valid the right authentication tokens, many online web services use APIs so that their online apps or external partners can retrieve internal data.
It is also well noted that the API abused in this security breach did not allow the attacker to gain access to affected customers’ driver’s licenses or other government ID numbers, social security numbers/tax IDs, passwords/PINs, payment card information (PCI) or other financial account info.
What was accessed was a limited set of customer account data described as “basic customer information”, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.
The mobile carrier is also now notifying customers who might have had their sensitive personal information stolen as a result of this breach. For more information about the T-Mobile hacked incident check out the references below.