Telecommunications giant T-Mobile recently revealed it has suffered another data breach after a malicious operator stole the personal data of 37 million current prepaid and post-paid customer accounts via one of its active Application Programming Interfaces.

An Application Programming Interface, or API for short, is a software mechanism or interface commonly utilised by computers and applications to communicate with one and other.

A multitude of online web services employ APIs to allow their online applications and external partners to retrieve and access internal data providing that they can pass the correct authentication tokens.

Although T-Mobile has not yet shared how its API was compromised, threat operators commonly discover flaws that enable them to obtain data without needing to provide authentication.

Millions of customer accounts impacted

In a recent announcement from T-Mobile, the company stated that the threat actor started stealing information using the affected API around the end of November, last year. However, the world-renowned mobile carrier discovered the malicious activities early this year on January 5. It immediately cut off the threat operator’s API access to the API.

The carrier commented that the API abused during the security breach did not enable the attacker to obtain access to impacted customers’ registered driver’s licences or other types of government ID numbers, like tax and social security number. Additionally, the event did not compromise customer’s PINs, passwords, payment card information or other types of financial account information.

T-Mobile commented on the personally identifiable information (PII) exposed:

“Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features. The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current post-paid and prepaid customer accounts, though many of these accounts did not include the full data set.”

In a further press release, T-mobile described the stolen data as “basic customer information”.

A long history of data breaches

Although this is T-Mobile’s first 2023 breach notice issued, since 2018 the telecoms company has disclosed seven different data breaches.

In 2019, the company exposed its prepaid customers’ personal data and, in March 2020, malicious actors accessed its employees’ company email accounts. Later that year in December, hackers accessed customer network information like call records and phone numbers, and in February the next year, attackers got hold of an internal company app without authorisation.

In August 2021, attackers used brute-force tactics to enter T-Mobile’s network and the carrier was later unable to prevent stolen data being leaked online despite paying $270,000 via a third-party company.

Finally, the firm also confirmed last April that the Lapsus$ gang had breached its dedicated network employing stolen credentials.

T-Mobile has now reported the event to U.S federal agencies, which it is working alongside with law enforcement for a full investigate of the breach. It is also informing all customers who may have been impacted by the data theft.