Cyber Incident Victim: T-Mobile US
Date:
Nov 2022
Location:
United States of America
Summary
A threat actor exploited an API to steal basic customer information from approximately 37 million current postpaid and prepaid accounts, including names, billing addresses, emails, phone numbers, dates of birth, account numbers, and service plan details—though financial data, passwords, and government IDs were not compromised. The breach was detected over a month after unauthorized access began, promptly contained, and reported to federal authorities, with impacted customers notified; this incident marks the eighth such security event affecting the telecommunications provider since 2018.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 25, 2022, a threat actor began exploiting a T-Mobile API to steal data from approximately 37 million current postpaid and prepaid customer accounts. The unauthorized activity continued undetected until January 5, 2023, when T-Mobile identified the breach and terminated the attacker's API access within one day. The compromised API provided access to limited customer account information, including names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and service plan details such as the number of lines and features. Notably, the breach did not expose more sensitive data categories including government-issued identification numbers, Social Security numbers, financial account information, payment card details, or account passwords and PINs. While all affected accounts had some data exposed, T-Mobile confirmed many records did not contain the complete set of available information. The company characterized the stolen data as "basic customer information" in public statements and initiated notifications to impacted customers regarding potential exposure of their personal details.
T-Mobile reported the incident to federal agencies and collaborated with law enforcement during the investigation, which remained ongoing at the time of disclosure. The company asserted that malicious activity appeared fully contained by January 6, 2023, with no evidence of broader system or network compromise beyond the API exploitation. This marked T-Mobile's eighth disclosed security incident since 2018, following previous breaches including a 2021 attack affecting 3% of customers, unauthorized access to employee emails in 2020, and an April 2022 intrusion by the Lapsus$ extortion group using stolen credentials. Historical context revealed persistent security challenges, exemplified by T-Mobile's failure to prevent data leaks after a 2021 breach despite paying $270,000 ransom through intermediaries. The 2022 API breach highlighted continued vulnerabilities in T-Mobile's infrastructure despite prior incidents, though the company maintained operational systems and customer financial protections remained uncompromised in this specific event.