T-Mobile, one of the largest mobile telecommunication companies in the United States, announced a data breach on January 5, 2023, that compromised approximately 37 million current postpaid and prepaid customer accounts via unauthorized access to one of its Application Programming Interface (API). An API is a type of software interface that allows two applications to communicate with each other using a set of definitions and protocols.
According to the company, the attacker first retrieved data through the impacted API starting on or around November 25, 2022, and T-Mobile was able to identify the source of the malicious activity and put a stop to it within 24 hours of discovering the breach. The company stated that its systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances were not at risk. The API that was abused by the attacker did not allow access to any customer payment card information, social security numbers, driver’s license or other government ID numbers, passwords, or other financial account information.
T-Mobile is continuing to investigate the unauthorized activity and has reported the incident to certain U.S. federal agencies and is also working with law enforcement to investigate the breach. The company has started notifying customers whose information may have been obtained by the attacker and there is currently no evidence that the attacker was able to breach or compromise T-Mobile’s systems or network.