The US branch of T-Mobile has been hit by a cyberattack. The personal data of 37 million customers was stolen.

According to an official statement, a cybercriminal managed to break into T-Mobile’s systems via an API. In August 2021, a prior incident leaked the data of 48 million customers.

The most recent attack took place around November 25, 2022. The breach wasn’t discovered until January 5 of this year, meaning the API remained vulnerable for a considerable period of time. The perpetrator managed to steal the data of as many as 37 million customers.

Data exfiltration

T-Mobile USA claims its security systems and policies prevented the most sensitive customer data from being captured. The organization suggests the API did not provide access to sensitive financial information.

The attacker accessed customer data nevertheless, including billing addresses, e-mail addresses, phone numbers, dates of birth, T-Mobile account numbers and subscription information.

The provider has taken the “necessary steps” to counter the effects. External security experts were enlisted and judicial authorities got notified. Affected customers have been informed.

T-Mobile USA has a history of data breaches. Between 2018 and 2023, the organization faced eight major incidents. Many involved the data of millions of customers.

Tip: APIs are indispensable, but also pose a security risk