T-Mobile said "basic" customer data was taken from around 37 million users
(Image credit: T-Mobile)
T-Mobile has warned millions of its customers that a threat actor used an Application Programming Interface (API) to gain access to some of their sensitive data.
In a warning published on the company’s website, T-Mobile tried to play down the importance of the incident, saying some “basic customer information (nearly all of which is the type widely available in marketing databases or directories)” was obtained.
The data, however, includes people’s names, billing addresses, email addresses, phone numbers, dates of birth, and account numbers, all valuable information for identity theft (opens in new tab) attacks, phishing, and similar social engineering attacks.
Millions of victims
Passwords, payment card information, Social Security numbers, government ID numbers, as well as financial account information, remained safe, the company confirmed. It also said its investigation concluded that there was no evidence of a breach in its networks or systems.
While the warning does not say how many people were affected by the breach, and which account types were compromised, a total of 37 million customers had their data accessed, including both prepaid and postpaid customers.
The attack was taking place between November 25, 2022, and January 5, 2023. It was on January 6 that T-Mobile finally cut the threat actors’ access.
> T-Mobile to fork out $350m penalty over infamous data breach
> T-Mobile investigates massive potential data breach
> Here’s our rundown of the best firewalls (opens in new tab)
The company reported the attack to both law enforcement and federal agencies in the United States, whose investigation is now ongoing, it was said. T-Mobile also added that it started notifying customers who might have had their data compromised.
The German telecommunications giant’s track record for data breaches is far from ideal. The company’s had multiple incidents over the years, including one in 2018, one in 2019, and at least three in 2020. In 2021, it was found that the company paid hundreds of thousands of dollars to not have its sensitive data leaked to the web, which happened anyway, and a year later, in 2022, confirmed being targeted by the Lapsus$ extortion gang.
Via: BleepingComputer (opens in new tab)
Are you a pro? Subscribe to our newsletter
Sign up to theTechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.