The personal information of about 37 million T-Mobile customers was stolen in a recent hack. This is the latest of numerous T-Mobile data breaches.

T-Mobile confirmed this latest hack in a U.S. Securities and Exchange Commission (SEC) filing. On Jan. 5, it discovered a “bad actor” was obtaining data from a single API without authorization.

“We promptly commenced an investigation with external cybersecurity experts,” it said.

T-Mobile’s investigation is ongoing. The hacker didn’t breach or compromise T-Mobile’s systems or network.

Customer Account Data Accessed

The API abused by the bad actor does not provide access to any customer payment card information (PCI), Social Security numbers/tax IDs, driver’s licenses or other government ID numbers, passwords/PINs or other financial account information, T-Mobile said.

The API did provide customer account data. That included names, billing addresses, email addresses, phone numbers and dates of birth. It also provided T-Mobile account numbers and information such as the number of lines on the account and plan features.

It appears the bad actor first retrieved data through the impacted API starting on or around Nov. 25, T-Mobile said.

“We are continuing to diligently investigate the unauthorized activity,” it said. “In addition, we have notified certain federal agencies about the incident. And we are concurrently working with law enforcement.”

In addition, T-Mobile is notifying customers whose information may have been stolen.

Last July, T-Mobile agreed to pay $350 million to customers in a class-action lawsuit related to personal information stolen in a 2021 cyberattack.

Many Unanswered Questions

Nick Rago is field CTO at Salt Security. He said T-Mobile has provided no technical details on the hack in its SEC filing.

Salt Security’s Nick Rago

“Uncovering an API attack after the fact – in this case, 41 days and 37 million records later – is just not good enough,” he said. “Many questions remain to be answered by T-Mobile about the incident. Was the API known to T-Mobile? Did it require any authentication and authorization to use? Where was the API exposed and what was its business and functional purpose?”

Now more than ever, organizations must have proper API runtime protection in place, Rago said.

Customers Must be ‘Extremely’ Vigilant

David Emm is principal security researcher at Kaspersky.

Kaspersky’s David Emm

“For T-Mobile customers, this breach means only one thing: Consumers need to be extremely vigilant over the coming days and weeks,” he said.

Customers could expect phishing attacks from threat actors pretending to be T-Mobile representatives or even competitors offering special deals, Emm said.

“The best advice we can give to all T-Mobile customers is not to respond to unsolicited messages,” he said. “If you want to check a deal, go directly to a company’s website, rather than clicking a link in an email.”

The attackers might make the database publicly accessible by putting it up for sale on the dark net, Emm said. This is a common action for ransomware actors. They post about new successful hacking incidents in their public blogs, as well as the stolen data itself.