T-Mobile, an American wireless network operator has disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).
While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to retrieve data without authenticating first.
The company said the API abused in this security breach did not allow the attacker to gain access to affected customers’ driver’s licenses or other government ID numbers, social security numbers/tax IDs, passwords/PINs, payment card information (PCI), or other financial account info.
“Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features,” T-Mobile said.
“The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.”
T-Mobile has reported the incident to U.S. federal agencies and is now working with law enforcement to investigate the breach.
