Wireless network operator T-Mobile has suffered another data breach.
According to a notice filed with the US Securities and Exchange Commission (SEC), on January 5, 2023, T-Mobile discovered that hackers had exploited a weakness in the company’s API to steal data.
T-Mobile’s preliminary investigation has found that the details of “approximately 37 million current postpaid and prepaid customer accounts” were stolen by hackers.
Although the API did not provide access to customers’ social security numbers, passwords, payment card details and other financial account information, it appears that a large number of customers have had the following details exposed:
- Payment Address
- phone number
- date of birth
- T-Mobile account number
- information such as the number of lines on the account and plan features
So it’s good news that payment information hasn’t been stolen, but the information has is now in the hands of hackers is absolutely enough to scam unwary T-Mobile customers.
We shouldn’t be at all surprised if fraudsters use the information they stole from T-Mobile to send convincing phishing messages, perhaps masquerading as legitimate communications from the carrier, with the intention of tricking unwary recipients into sharing more sensitive information .
According to T-Mobile, the attackers first exploited the affected API around November 25, 2022. This means they could have sought data about T-Mobile customers for over a month before their unauthorized access was noticed.
T-Mobile says it is informing affected customers of the data breach and has notified federal authorities and law enforcement.
I recently talked about how many times T-Mobile has been breached – here are some of the incidents I know of:
August 2021 – T-Mobile warned that cybercriminals had gained access to customers’ names, driver’s license information, government identification numbers, social security numbers, dates of birth, T-Mobile prepaid PINs, addresses and phone numbers.
The confirmation from T-Mobile came just days after a hacker offered for sale on an underground forum data related to what they claimed were 100 million T-Mobile users.
January 2021 “Hackers were able to access customer account information, which T-Mobile said may have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your account’s wireless service.”
March 2020 – T-Mobile reveals hackers broke into employee email accounts and stole customer account information.
November 2019 – T-Mobile confirmed that more than one million prepaid customers were affected by a breach in which hackers gained access to their names, phone numbers, billing addresses, T-Mobile account numbers and pricing and plan details.
August 2018 – Hackers stole details of two million T-Mobile customers.
In 2021, T-Mobile began a significant multi-year investment in collaboration with leading external cybersecurity experts to improve [its] cyber security capabilities and transformation [its] approach to cyber security.”
The company says it has “made significant progress to date and protects [its] customer data remains a top priority.”
It’s all pretty depressing, isn’t it? Here’s a picture of T-Mobile’s store in Times Square to cheer you up.
Did you find this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.