API Attacker Steals Data on 37 Million T-Mobile Customers

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

T-Mobile has admitted that tens of millions of customers had their personal and account information accessed by a malicious actor via an API.

The US mobile carrier explained in an SEC filing yesterday that the attack began “on or around” November 25 2022, but was not discovered until January 5 2023, after which time T-Mobile contained and remediated the incident within a day.

Among the information compromised by the threat actor were customer names, billing and email addresses, phone numbers, dates of birth, T-Mobile account numbers and information such as the number of lines on the account and plan features.

T-Mobile sought to play down the seriousness of the breach in a related statement, claiming that “nearly all” of the info stolen “is the type widely available in marketing databases or directories.”

That misses the point slightly in that large troves of data like this provide a readymade profile on each customer for scammers to use in follow-on phishing and identity fraud attempts.

“No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised,” T-Mobile added in its statement.

“Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.”

It’s unclear exactly what kind of API flaw was exploited by the threat actors, or why it took nearly a month and a half for the carrier to detect the breach.

Ivan Novikov, CEO and co-founder of Wallarm, argued that organizations should regularly review and update their security systems, policies and capabilities, and have incident response plans in place.

“As organizations continue to accelerate their digital transformation efforts and leverage more and more APIs, it’s crucial that they have the right tools and expertise in place to protect their sensitive data,” he added.

“Unauthorized access through a single API can lead to a significant data breach.”

Editorial credit icon image: nikkimeel / Shutterstock.com

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Apple Boosts Spyware Alerts For Mercenary Attacks
OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
Report Suggests 93% of Breaches Lead to Downtime and Data Loss
U.S. Treasury Hamas Spokesperson for Cyber Influence Operations
Palo Alto Networks Warns About Critical Zero-Day in PAN-OS

Leave a Reply

Your email address will not be published. Required fields are marked *