Anatomy of a Breach

Anatomy of a Breach: T-Mobile — 37 Million Customers via API and the Company's Sixth Appearance in This Series

> series: anatomy_of_a_breach —— part: 170 —— target: t-mobile —— records: 37,000,000 —— breach_number: sixth_in_series —— method: api_abuse<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2023 12 min read
data-breach t-mobile 37-million api-vulnerability repeat-offender sixth-breach series
Breach #170

37 million customers. Through an API. T-Mobile's sixth breach in this series.

In January 2023, T-Mobile disclosed that an attacker had been accessing customer data through one of its APIs since approximately 25 November 2022. The breach affected approximately 37 million postpaid and prepaid customer accounts, with exposed data including names, billing addresses, email addresses, phone numbers, dates of birth, account numbers, and plan details. The breach was discovered on 5 January 2023 and disclosed in an SEC filing — 41 days after it began.

This was T-Mobile's sixth documented appearance in the Anatomy of a Breach series — following the UK insider breach (2009), API vulnerability (2018), 40M+ records (2021), and others — making it the most frequently breached company in the entire series. The 2023 breach was yet another API vulnerability — the same attack surface that compromised T-Mobile in 2018, and the same vulnerability class documented from AT&T (2010) through Twitter (2022). Despite the $500 million settlement from the 2021 breach (including $150 million earmarked for security improvements), T-Mobile's API security remained inadequate.

Six Breaches
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

2009. 2018. 2021. 2023. And counting.

The Most Breached Company in This Series
Six documented breaches across fifteen years — T-Mobile holds the unenviable record in the Anatomy of a Breach series. Repeated breaches at the same organisation indicate that security investment is either insufficient, misallocated, or not implemented effectively. Our <a href="/penetration-testing">penetration testing</a> identifies systemic weaknesses, not just point vulnerabilities.
APIs — The Recurring Attack Surface
T-Mobile's 2018 and 2023 breaches were both API vulnerabilities. API security has been a persistent gap throughout this series since 2010. Our <a href="/penetration-testing/api">API penetration testing</a> provides the continuous assessment that API surfaces require — with every release, every change, every new endpoint.
41 Days Undetected
The attacker had 41 days of API access before detection. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for anomalous API access patterns — high-volume queries, unusual data access patterns, and out-of-hours activity — detecting abuse in hours, not weeks.
$150M for Security — Still Breached
The 2021 settlement included $150 million earmarked for security improvements. Yet T-Mobile was breached again through an API within 18 months. Money alone does not buy security — it must be invested effectively in the right controls, tested continuously, and monitored 24/7. <a href="/cyber-essentials">Cyber Essentials</a> provides the framework for effective investment.
Lessons

Money without discipline does not buy security.

T-Mobile's sixth breach proved that security investment without effective implementation, continuous testing, and ongoing monitoring is insufficient. API penetration testing must be conducted regularly — not just after breaches. Cyber Essentials certification must be maintained annually. SOC in a Box must monitor continuously. And incident response capability must be maintained and tested. Because T-Mobile spent $150 million on security and was breached through an API 18 months later.

Continuous Security

T-Mobile: $150M on security. Breached again through an API. Is your security investment effective?

<a href="/penetration-testing/api">API testing</a> validates API security. <a href="/cyber-essentials">Cyber Essentials</a> provides the framework. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors API access.

Commission an API Assessment Next: 3CX Supply Chain
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2021

Anatomy of a Breach: T-Mobile — 40 Million Records Including Social Security Numbers in the Company's Worst Breach Yet

Breach #152. In August 2021, T-Mobile US disclosed its most severe data breach to date: approximately 40 million records of former and prospective customers — including names, dates of birth, Social Security numbers, and driver's licence numbers — had been stolen, along with personal data from an additional 7.8 million current postpaid customers. The attacker, a 21-year-old American, claimed to have accessed T-Mobile's systems through an unprotected router and exploited weak security to access a database containing over 100 million records. T-Mobile ultimately agreed to a $500 million settlement. It was the company's fifth documented breach in this series.

data-breach t-mobile
12 min read
Anatomy of a Breach 31 August 2018

Anatomy of a Breach: T-Mobile US — 2 Million Customer Records Exposed Through an API Vulnerability

Breach #116. In August 2018, T-Mobile US disclosed that attackers had exploited an API vulnerability to access the personal data of approximately 2 million customers — including names, email addresses, phone numbers, billing zip codes, and account numbers. The breach, discovered on 20 August, was the latest in a series of T-Mobile security incidents spanning both the UK and US operations documented throughout this series. The API vulnerability echoed the Moonpig, Snapchat, and AT&T iPad breaches — reinforcing that API security remains one of the most persistent gaps in modern application security.

data-breach t-mobile
11 min read
Anatomy of a Breach 31 October 2009

Anatomy of a Breach: The Sidekick Cloud Disaster — When Microsoft Lost Everyone's Data

The tenth instalment of our Anatomy of a Breach series. In October 2009, a server failure at Microsoft's Danger subsidiary caused 800,000 T-Mobile Sidekick smartphone users to lose all their personal data — contacts, calendars, photos, and notes — in what was described as the biggest disaster in cloud computing history. The backups were destroyed too.

data-breach microsoft
13 min read
All Posts Get in Touch