T-Mobile confirms new data breach impacting 37 million accounts

On Thursday, January 19, T-Mobile published an article on its website informing customers about a recent data breach. According to the article, T-Mobile discovered through an investigation that a bad actor was able to use an API to “obtain limited types of information” on customer accounts. T-Mobile cut off the hacker’s access within 24 hours, which “prevented the most sensitive types of customer information from being accessed.”

“While no information was obtained for impacted customers that would compromise the safety of customer accounts or finances, we want to be transparent with our customers and ensure they are aware,” the mobile carrier explained in its notice.

T-Mobile says the bad actor did obtain some basic customer information, such as names, billing addresses, emails, phone numbers, birthdays, account numbers, number of lines on the account, and service plan features. Passwords, credit card details, social security numbers, government ID numbers, and other financial account information were not compromised.

T-Mobile’s customer notice didn’t include specifics, but its filing with the Securities and Exchange Commission (SEC) did. The SEC filing reveals that the hacker obtained data on approximately 37 million postpaid and prepaid T-Mobile customer accounts.

“We currently believe that the bad actor first retrieved data through the impacted API starting on or around November 25, 2022,” T-Mobile explains in the SEC filing. “We are continuing to diligently investigate the unauthorized activity. In addition, we have notified certain federal agencies about the incident, and we are concurrently working with law enforcement. Additionally, we have begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements.”

This data breach comes less than two years after T-Mobile dealt with a similar incident that affected 50 million customers. The good news is that neither hack included financial information or private details that could put customers or their bank accounts at risk.