An Insecure API Exposed the Data of 2.3 million T-Mobile Subscribers

Mobile provider T-Mobile has informed 2.3 million of its subscribers that personal data associated with their accounts was exposed to an attacker as the result of an unprotected API.

According to the company, the data exposed included name, billing zip code, phone number, email address and account number. It did not include financial data or social security numbers.

In a customer service advisory posted on its website, T-Mobile informed subscribers that its security team detected "an unauthorized capture of some information" and reported the incident to law enforcement. A T-Mobile spokesperson told Threatpost that the unauthorized access appeared to originate from outside the United States. The spokesperson explained that the attacker took advantage of "a specific leaky API tied to an undisclosed part of its website", which was promptly addressed once identified.

T-Mobile has over 77 million subscribers, meaing data for approximately 3% of them was put at risk because of this incident.

Be sure to read the next Security article: Microsoft Releases New Microsoft 365 Secure Score API