T-Mobile announced in a financial filing this week that the company had been breached. The hacker utilized a vulnerability in its Application Programming Interfaces (API) to access and steal the personal data of 37 million customers.
APIs enable technical solutions to talk or exchange data with another and can be extremely vulnerable if left unsecured. Oftentimes, APIs may either not have role-based access (RBAC) enabled, proper authentication, or be left unmonitored.
The stolen data includes “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features,” since November 25, 2022.
T-Mobile said in an SEC filing that it had not detected the breach until January 5, 2023 and remediated the vulnerability “within a day” that the hacker was exploiting.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company wrote.
This is the eighth time T-Mobile has been hacked since 2018. The most recent was in 2022 when hacker group Lapsus$ was able to gain access to the company’s internal tools. This allowed the cybercriminals to perform SIM swaps. SIM swaps allow a malicious actor to take over a victim’s phone number and try to leverage this access to reset sensitive account passwords such as email or cryptocurrency wallets.
As security and ethical hacker Rachel Tobac highlights, this hack reinforces the cyber threat of SIM swapping and protecting your accounts with multi-factor authentication methods that do not utilize SMS.
Two-factor authentication methods that rely on SMS have proven increasingly dangerous. One of the most high-level examples of a SIM swap attack on a public figure was Jack Dorsey, former CEO of Twitter.
