A hacker leveraged an Application Programming Interface (API) to steal the personal information of 37 million customers over two months, undetected, from American cellular carrier T-Mobile.
The acknowledgment by the carrier in a filing Thursday with the U.S. Securities and Exchange Commission comes six months after it agreed to settle a class action lawsuit over a 2021 data breach involving the personal information of just over 76 million customers. An attacker accessed the carrier’s testing environments, then used brute force attacks and other methods to get into other IT servers that included customer data.
As a result of that 2021 hack, T-Mobile said, it started “a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.”
In its regulatory filing, T-Mobile said that on Jan. 5 it discovered that a “bad actor was obtaining data through a single Application Programming Interface” in a compromise that started Nov. 25, 2022.
It didn’t explain how the API was exploited.
“We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”
“Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event. The API abused by the bad actor does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed. Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.”
An API lets a product or service communicate with other products and services, but as Red Hat notes, they also allow organizations to share data with customers and other external users. IBM points out that an API allows users to log into several sites using their Google or Twitter credentials, and travel booking sites to aggregate thousands of flights. However, F5 Networks writes that APIs have to be secured from injection, cross-site-scripting, man-in-the-middle and other attacks through strong authentication.
Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, said that unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches. “The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data.”
Given that the exfiltration of 37 million customer records was not detected and blocked by the anomaly detection system, he suspects the breached API belonged to the unknown and thus unprotected shadow assets.
While the financial data of the customers is reportedly safe, he added, what the hacker got can be used by cybercriminals for sophisticated spear phishing attacks.
“In view of the previous security incidents implicating T-Mobile,” he also said, “legal consequences for this data breach may be pretty harsh – courts and regulators will be unlikely to be lenient when considering monetary and other available sanctions.”
The stolen data can be quite valuable to cryptocurrency thieves, said Joe Stewart, principal security researcher at eSentire’s threat response unit. They may be able to cross-reference known cryptocurrency holders with the stolen customer list, and target them for SIM swaps of T-Mobile customers. Then attacker could access email and cryptocurrency exchange accounts of the victim.
The process for mitigating API vulnerabilities is not much different than mitigating vulnerabilities in custom web applications, he added. In fact, he said in an email, there is a lot of overlap because the API in most cases may be a fundamental part of a web application. Any web app penetration tests should routinely seek to identify vulnerabilities in custom APIs, he said, but these tests need to be very thorough, especially if the API has access to important data such as PII (personally identifiable information), not just because of the possible impact of a large-scale data breach, but also because API vulnerabilities are among the easiest types of vulnerabilities to exploit.
“API vulnerabilities are not something we typically see traded on the underground,” Stewart wrote. “Usually, the discoverer finds it better to silently steal as much data as they can through the vulnerability before it is discovered and patched, and then sell the raw data, rather than publicize the fact that a particular institution has an API vulnerability by offering it for sale (which may lead to other hackers enumerating and exploiting the same vulnerability before the original discoverer can monetize it).”
