"T-Mobile Hacked to Steal Data of 37 Million Accounts in API Data Breach"

T-Mobile has revealed that it experienced a new data breach after a threat actor exploited one of its Application Programming Interfaces (APIs) and stole the personal information of 37 million active postpaid and prepaid customer accounts. T-Mobile did not disclose how their API was exploited, but threat actors typically uncover vulnerabilities that allow them to get data without first authenticating. T-Mobile disclosed that the attacker began stealing data via the compromised API on November 25, 2022. The company identified the malicious behavior on January 5, 2023, and terminated the attacker's API access the next day. The company stated that the API exploited in this security incident did not grant the attacker access to driver's licenses or other government ID numbers, Social Security numbers/tax IDs, passwords/PINs, payment card information, or other financial account information of affected consumers. Instead, the API only provided the attackers with limited customer account data, including names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers, and information such as the number of lines and plan features covered by accounts. This article continues to discuss the new T-Mobile data breach and previous security incidents faced by the mobile carrier. 

Bleeping Computer reports "T-Mobile Hacked to Steal Data of 37 Million Accounts in API Data Breach"