T-Mobile announced on Thursday that a hacker accessed varying amounts of personal data from 37 million customers from late November 2022 until the malicious activity was detected on January 5th of this year.
According to the mobile phone giant, the attacker accessed account information from postpaid and prepaid customers via one of its APIs.
Application Programming Interfaces (APIs) are software interfaces used by computers and applications to communicate with each other. APIs are used by web services to enable online apps and/or external partners to retrieve internal data, typically utilizing some type of authentication tokens.
"In today's expanding and ever-changing API environments, even very security wise and mature organizations continue to experience API-related breaches," said Nick Rago, Field CTO at Salt Security.
"Organizations simply cannot uncover all potential for abuse and business logic flaws in development and testing. They must understand that these threats and lapses in governance will still occur despite their best API management efforts. Now more than ever, organizations must have proper API runtime protection in place to immediately detect and block malicious activity when an API is being abused, compromised, or is under reconnaissance by an attacker."
T-Mobile did not reveal exactly how the threat actor accessed and exploited its API, but clearly they found a week link in the ID authentication process.
APIs a growing attack vector
Dr. Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, said this about the incident:
"Unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches. The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data. Given that the exfiltration of 37 million customer records was visibly not detected and blocked by the anomaly detection system, we could suppose that the breached API belonged to the unknown and thus unprotected shadow assets. While the financial data of the customers is reportedly safe, the compromised billing details can be aptly exploited by cybercriminals for sophisticated spear phishing attacks aimed, amongst other things, to steal 2FA tokens from other systems. In view of the previous security incidents implicating T-Mobile, legal consequences for this data breach may be pretty harsh – courts and regulators will unlikely be lenient when considering monetary and other available sanctions."
And Ted Miracco, CEO of Approov, shared his viewpoint:
"As to the access being through an API attack, currently deployed security technologies in mobile applications are just small speed bumps for the experienced hackers that are increasingly using man-in-the-middle attacks (MitM) and API Keys to gather much richer troves of data including the full range of not just PII. We need to make sure that API security is prioritized, and we should start with the mobile devices as these are the easiest to hack and as demonstrated, are poorly protected."
T-Mobile is still settling with customers over a 2021 breach in which 76 million people were affected, with the company agreeing to pay $350 million to settle claims and spend another $150 million to bolster security. The latest breach is the eighth to hit the company since 2018.
Here's a SecureWorld News article from August 2021 providing an update on a breach affecting 100 million T-Mobile users.
[RELATED: SecureWorld is offering a training on the topic of API security at our 12 annual Charlotte conference, March 1-2. George Jouldjian, Cyber Director at Elliott Davis, will lead the in-depth course, "Understanding the Threat Surface with API Security. See details here.]
