T-Mobile is in hot water again. Another breach, this time due to insecure API.
Within the last week, it has been reported that T-Mobile has had another data breach. On January 5th, T-Mobile detected a threat actor stealing data from them, dating back to the end of November. This included customers’ names, billing addresses, emails, phone numbers, dates of birth, and account numbers and information. This newest breach has affected 37 million of their customers. Fortunately, the threat actor was not able to access customers’ social security numbers, passwords, or financial information.
This is not the first time that T-Mobile has been on the receiving end of a data breach. Over the last five years, T-Mobile has disclosed eight different hacks including this newest one. Creating a clear timeline of these breaches is no easy feat as there have been so many in such quick succession but we’ll try our best.
- In 2018, attackers retrieved similar data as the newest breach but also obtained the encrypted passwords of two million customers.
- A year later, in 2019, similar data was stolen again, but this specifically targeted customers on prepaid wireless accounts.
- In March 2020, the worst attack yet was when T-Mobile’s email vendor was hacked. This led to them being able to access employees’ email accounts which then contained highly sensitive information such as social security numbers and financial information.
- This wasn’t the last of the breaches in 2020 though, with another happening in December, this time call-related information was stolen, such as phone numbers and call records.
- Just two months later, in February 2021, they fell victim to a SIM hijacking attack. This is when scammers take control of a customer’s phone after porting it, allowing them to bypass SMS-based multi-factor authentication, meaning they can steal a user’s account credentials for different services, taking over their online life. There are two routes to obtaining the information for this kind of attack, either by social engineering or bribing the mobile operator’s employees.
- Still in 2021, in August, claims were circulating that hackers had over 100 million people’s information potentially up for sale, including social security numbers, driver’s license information, names, and addresses. These rumours ended up being true. This was apparently due to a brute-force attack on their network after obtaining access to their testing environments.
- Finally, in April 2022, the hacking group Lapsus$ gained access to T-Mobile’s network, allowing them to access their internal tools, such as Atlas which was used to manage customer accounts. They were able to do this by obtaining employee accounts, either by buying leaked ones or through social engineering.
So, how did it happen this time? Well, it was due to an insecure API. APIs are fast becoming the wild west of application development, with 95% of companies reporting an API security incident in the past 12 months. Details are still emerging about this breach as T-Mobile is still investigating the incident, however since they were unable to access highly sensitive data such as financial information, it’s not due to no security at all.
The most likely underlying issue is unauthorised access to sensitive data, whether through Broken Object Level Authentication or Broken User Authentication. These two issues are massive problems in API security. Companies don’t always protect the right data, protect it correctly, or protect all of it. Although the latest data to be stolen is not the most sensitive, it still matters. With the different definitions of PII and the legal implications, it should be equally protected.
But, it’s hard to find a starting point. OWASP is always a great resource for educating yourself and creating a prioritisation list of what fixes can be made. Darkspark can also help with this, by helping to show where you should focus. It does this by prioritising the most sensitive data so that you can put those newly learnt prevention skills to use and remediate these issues.
T-Mobile has a lot to learn and a long way to go. They will probably be gracing us with another breach soon as history tends to repeat itself. Don’t do the same and brush up on your API security.
Originally published at https://bycontxt.com on January 27, 2023.
Sources:
