T-Mobile Hacked – Over 37 Million Customer Data Exposed

T-Mobile US, Inc. discovered that a malicious attacker was illegally accessing data through a single Application Programming Interface (“API”).

The research revealed that the threat actors accessed information for about 37 million active postpaid and prepaid customer accounts using this API, however many of these accounts did not include the complete data set.

A software interface or mechanism known as an API is frequently used by applications or computers to communicate with one another. Many online web services use APIs so that, as long as the proper authentication tokens are passed, their online apps or external partners can get internal data.

T-Mobile Hacked 37 Million Customer Data Exposed

Reports stated that no customer payment card information (PCI), social security or tax identification numbers, driver’s license or other government ID numbers, passwords or PINs, or other financial account information were accessible through the API that was misused by the bad actor, so none of this information was disclosed.


The impacted API is only able to give a small subset of customer account data, such as name, billing address, email, phone number, date of birth, T-Mobile account number, and details like the account’s line count and plan features.

“The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set”, T-Mobile reports.

The malicious actor is suspected to have accessed the impacted API for the first time starting on or about November 25, 2022.

The firm is actively looking into the unauthorized behavior, has informed a number of federal agencies about it, and is cooperating with law enforcement at the same time.

According to applicable state and federal regulations, the firm has also started alerting customers whose information may have been accessed by the bad actor.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile.

Data from T-prepaid Mobile’s users was leaked in 2019. In March 2020, unidentified threat actors also gained access to the email accounts of T-Mobile employees.

In March 2020, unidentified threat actors also gained access to the email accounts of T-Mobile employees.

Following a compromise of the carrier’s testing environments, hackers brute-forced their way into T-network Mobile in August 2021.

Additionally, the company acknowledged in April 2022 that the Lapsus$ extortion group had accessed its network using credentials that were stolen.

Network Security Checklist – Download Free E-Book

Source: gbhackers.com