T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).
An API is a software interface or mechanism commonly used by applications or computers to communicate with each other.
Many online web services use APIs so that their online apps or external partners can retrieve internal data as long as they pass the right authentication tokens.
While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to retrieve data without authenticating first.
New data breach impacts 37 million accounts
T-Mobile revealed on Thursday that the attacker started stealing data using the impacted API around November 25, 2022. The mobile carrier detected the malicious activity on January 5, 2023, and cut off the attacker's access to the API one day later.
The company said the API abused in this security breach did not allow the attacker to gain access to affected customers' driver's licenses or other government ID numbers, social security numbers/tax IDs, passwords/PINs, payment card information (PCI) or other financial account info.
"Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features," T-Mobile said.
"The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set."
The company described the data stolen in this attack as "basic customer information" in a separate press release.
T-Mobile has reported the incident to U.S. federal agencies and is now working with law enforcement to investigate the breach.
The carrier is also now notifying customers who might have had their sensitive personal information stolen as a result of this breach.
"Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network," T-Mobile said.
Eighth T-Mobile data breaches since 2018
While this is the first breach disclosed by T-Mobile since the start of the year, the mobile carrier has disclosed seven other data breaches since 2018, including one where attackers gained access to the data of roughly 3% of all T-Mobile customers.
In 2019, T-Mobile exposed prepaid customers' data. Unknown threat actors also accessed T-Mobile employees' email accounts in March 2020.
In December 2020, unknown threat actors also gained access to customer proprietary network information (phone numbers, call records), and in February 2021, attackers accessed an internal T-Mobile application without authorization.
Several months later, in August 2021, hackers brute-forced their way through T-Mobile's network after a breach of the carrier's testing environments.
After the August 2021 breach, the carrier failed to stop the stolen data from being leaked online even though it paid the attackers $270,000 through a third-party firm.
Last but not least, the company also confirmed in April 2022 that the Lapsus$ extortion gang had breached its network using stolen credentials.
Comments
wackoinWaco - 1 year ago
And this is exactly why I changed carriers 2 years ago. Their security is worse than any I have ever seen.
jrm271 - 1 year ago
Im glad I switch from them, this is now another reason i'm glad. Poor basic call quality. Need to correct the fundamentals before pushing so hard with how great their 5G is. 5G isn'y even good for your health I read.
ftcm207 - 1 year ago
It’s probably best to assume every site will be breached, so don’t use a cell # for 2FA in order to eliminate the risk of a SIMcard attack or rogue forwarding (obvious or subtle hijacking of your cell # to get your 2FA codes).
Having protected yourself that way greatly limits potential damage from any breach.
It’s not easy to find a bank or credit union that offers 2FA without a cell # but they’re out there. They offer 2FA through an authenticator app of some sort, a standalone hardware key generator, a Yubi USB key etc, but also crucially let you remove your cell # as a fallback/backup method.
Same with online backup services, btw.
Even Amazon now lets you use an authenticator app for 2FA without having your cell # as a backup method.
Gmail offers several 2FA options but I strongly recommend having at least THREE before removing your cell # as a 2FA option in order to avoid getting locked out.
Banks and phone companies lag in security though, probably because everyone uses them so they have many millions of difficult customers to handle, low margins and complacent attitudes from years of undeserved momentum.
My financial institutions have the alternate 2FA methods and configuration options mentioned above, but I won’t divulge them online to avoid associating them with my forum ID.
Btw, for technically challenged people, cell-# 2FA is better than nothing.
SoftwareEngineer248 - 1 year ago
This is a super good post.
This hack does not surprise me because I have seen software engineers make the same mistake at other companies. Basically, every service should check to see if the request is authorized before responding to the request. Unfortunately, this does not always happen. The biggest problems I have seen are the following:
1) Software engineer apathy - Basically the developer does not care about security.
2) Lack of skill - The developer does not know that they have to authenticate requests or how to authenticate requests.
3) Authentication APIs and technologies are hard to use. Examples include Json Web Tokens (JWT), SAML and Azure Active Directory's Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-overview).
h_b_s - 1 year ago
I'd add a 4th:
4) Management is more concerned about pinching pennies and usually don't understand why customer privacy and security should matter. This has a trickle down effect if the CIO/CISO are mere figureheads and not empowered to make changes.