Wireless network operator T-Mobile has suffered yet another data breach.
According to a notice filed with the US Securities and Exchange Commission (SEC), T-Mobile discovered on 5 January 2023 that hackers had exploited a weakness in the company’s API to steal data.
T-Mobile’s preliminary investigation has found that the details of “approximately 37 million current postpaid and prepaid customer accounts” have been stolen by hackers.
Although the API did not grant access to customers’ social security numbers, passwords, payment card details, and other financial account information it turns out that a large number of customers have had the following details exposed:
- billing address
- phone number
- date of birth
- T-Mobile account number
- information such as the number of lines on the account and plan features
So, it’s good news that payment information has not been stolen, but the information that is now in the hands of hackers is definitely enough to scam unwary T-Mobile customers.
We shouldn’t be at all surprised if fraudsters use the information that they have stolen from T-Mobile to send convincing phishing messages, perhaps posing as legitimate communications from the telecoms company, with the intention of tricking unwary recipients into sharing more sensitive information.
According to T-Mobile, the attackers first exploited the impacted API around November 25, 2022. That means that they could have been scooping up data about T-Mobile’s customers for over one month before their unauthorised access was noticed.
T-Mobile says it is informing affected customers about the data breach, and has notified federal authorities and law enforcement.
I’ve last count of how many times T-Mobile has been data breached – here are some of the incidents I know about:
August 2021 – T-Mobile warned that cybercriminals had accessed customers’ names, driver’s license details, government identification numbers, Social Security numbers, dates of birth, T-Mobile prepaid PINs, addresses and phone numbers.
The confirmation from T-Mobile came days after a hacker offered for sale on an underground forum data related to what they claimed were 100 million T-Mobile users.
January 2021 – Hackers managed to access customer account information which may, in T-Mobile’s words, “have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service.”
March 2020 – T-Mobile reveals that hackers broke into employees’ email accounts and stole customer account information.
November 2019 – T-Mobile confirmed that more than one million prepaid customers were impacted by a breach which saw hackers access their names, phone numbers, billing addresses, T-Mobile account numbers, and details about rates and plans.
August 2018 – Hackers stole details of two million T-Mobile customers.
In 2021, T-Mobile “commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance [its] cybersecurity capabilities and transform [its] approach to cybersecurity.”
The company says that it has “made substantial progress to date, and protecting [its] customers’ data remains a top priority.”
It’s all rather depressing, isn’t it? Here’s a picture of T-Mobile’s store at Times Square to cheer you up.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.