The attacker obtained customer names, billing addresses, emails, phone numbers, and birth dates through an internal API.
T-Mobile has revealed the company’s second major breach in less than two years, admitting that a hacker was able to obtain customer data, including names, birth dates, and phone numbers, from 37 million accounts. The telecom giant said in a regulatory filing on Thursday that it currently believes the attacker first retrieved data around November 25th, 2022, through one of its APIs.
T-Mobile says it detected malicious activity on January 5th and that the attacker had access to the exploited API for over a month. The company says it traced the source of the malicious activity and fixed the API exploit within a day of the detection. T-Mobile says the API used by the hacker did not allow access to data that contained any social security numbers, credit card information, government ID numbers, passwords, PINs, or financial information.
In a public press release announcing the breach, T-Mobile omitted that the breach impacted 37 million accounts and that it had gone undetected for over a month. Instead, the statement expressed the company had “shut it down within 24 hours” as soon as its teams had identified the issue. T-Mobile has started to notify customers whose information may have been obtained in the breach.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” the company said in the filing. “There is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”
T-Mobile has disclosed eight hacks since 2018, with previous breaches exposing customer call records in January 2021, credit application data in August 2021, and an “unknown actor” accessing customer info and executing SIM-swapping attacks in December 2021. In April last year, the hacking group Lapsus$ stole T-Mobile’s source code after purchasing employees’ credentials online.