Anatomy of a Breach

Anatomy of a Breach: T-Mobile US — 2 Million Customer Records Exposed Through an API Vulnerability

> series: anatomy_of_a_breach —— part: 116 —— target: t-mobile_us —— records: 2,000,000 —— method: api_vulnerability<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2018 11 min read
data-breach t-mobile api-vulnerability 2-million telecoms customer-data series
Breach #116

2 million customers. Another API vulnerability. Another T-Mobile breach.

On 24 August 2018, T-Mobile US disclosed that hackers had exploited an API vulnerability to access the personal data of approximately 2 million customers. The stolen data included names, email addresses, phone numbers, billing zip codes, and account numbers — though T-Mobile stated that no passwords, financial data, or Social Security numbers were compromised.

The breach was notable for two reasons: first, it was the latest in a series of T-Mobile security incidents documented throughout this series — following the T-Mobile UK insider breach of 2009 (Breach #007). Second, it was yet another API vulnerability — joining Moonpig (zero authentication), Snapchat (enumeration), and the AT&T iPad breach (IDOR) in the growing catalogue of API security failures that have appeared throughout this series. Our API penetration testing addresses exactly this vulnerability class.

API Security — The Recurring Theme
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

From AT&T in 2010 to T-Mobile in 2018 — APIs remain under-tested.

API Vulnerabilities Persist
From <a href="/blog/anatomy-of-a-breach-att-ipad-email">AT&T iPad</a> (2010) through <a href="/blog/anatomy-of-a-breach-snapchat">Snapchat</a> (2014), <a href="/blog/anatomy-of-a-breach-moonpig">Moonpig</a> (2015), and now T-Mobile (2018), API vulnerabilities have appeared in every era of this series. The OWASP API Security Top 10 exists because APIs are consistently under-tested relative to traditional web applications. Our <a href="/penetration-testing/api">API penetration testing</a> addresses all Top 10 categories.
Mobile Apps Depend on APIs
Modern mobile applications — including T-Mobile's customer app — communicate with backend systems through APIs. Every mobile app is an API client, and every API is a potential attack surface. Our <a href="/penetration-testing/mobile-application">mobile application testing</a> assesses both the app and its API communications.
Telecoms: Repeated Failures
T-Mobile's 2018 API breach, combined with the <a href="/blog/anatomy-of-a-breach-t-mobile-uk-insider">2009 UK insider breach</a> and <a href="/blog/anatomy-of-a-breach-vodafone-germany-insider">Vodafone Germany insider</a> (2013), demonstrates that telecoms companies — with their vast customer databases and numerous access channels — face persistent security challenges. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for API abuse patterns.
GDPR Context
The T-Mobile US breach occurred three months after GDPR came into force. While T-Mobile US was not directly subject to GDPR, the breach affected European customers and reinforced the global importance of API security in the GDPR era. <a href="/cyber-essentials">Cyber Essentials</a> addresses application security baseline controls.
Lessons

Test your APIs. Every year. Every release.

The T-Mobile API breach — the latest in a decade-long series of API security failures documented in this series — reinforces that API testing must be a routine component of every organisation's security programme. APIs change frequently, new endpoints are added with every release, and each new endpoint is a potential vulnerability. API penetration testing must be conducted regularly — not just at launch, but with every significant change to the API surface.

Our API testing covers authentication, authorisation, rate limiting, input validation, data exposure, and business logic flaws. Cyber Essentials mandates baseline application security. SOC in a Box monitors for API abuse. And UK Cyber Defence provides incident response when API vulnerabilities are exploited.

API Security

API breaches: 2010, 2014, 2015, 2018. The pattern has not changed. Have your APIs been tested this year?

Our <a href="/penetration-testing/api">API penetration testing</a> covers the OWASP API Security Top 10. <a href="/cyber-essentials">Cyber Essentials</a> mandates baseline controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for API abuse.

Commission an API Test Next: British Airways
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2023

Anatomy of a Breach: T-Mobile — 37 Million Customers via API and the Company's Sixth Appearance in This Series

Breach #170. In January 2023, T-Mobile US disclosed that an attacker had been accessing 37 million customer records through one of its APIs since approximately 25 November 2022. The exposed data included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan details. T-Mobile stated that no passwords, payment card information, or Social Security numbers were compromised. The breach — T-Mobile's sixth documented appearance in the Anatomy of a Breach series — was discovered on 5 January 2023, meaning the attacker had approximately 41 days of undetected API access.

data-breach t-mobile
12 min read
Anatomy of a Breach 31 August 2021

Anatomy of a Breach: T-Mobile — 40 Million Records Including Social Security Numbers in the Company's Worst Breach Yet

Breach #152. In August 2021, T-Mobile US disclosed its most severe data breach to date: approximately 40 million records of former and prospective customers — including names, dates of birth, Social Security numbers, and driver's licence numbers — had been stolen, along with personal data from an additional 7.8 million current postpaid customers. The attacker, a 21-year-old American, claimed to have accessed T-Mobile's systems through an unprotected router and exploited weak security to access a database containing over 100 million records. T-Mobile ultimately agreed to a $500 million settlement. It was the company's fifth documented breach in this series.

data-breach t-mobile
12 min read
Anatomy of a Breach 31 October 2015

Anatomy of a Breach: TalkTalk — The SQL Injection Heard Around the UK

Breach #082. On 21 October 2015, TalkTalk disclosed a 'significant and sustained' cyberattack that compromised the personal data of approximately 157,000 customers — including 15,656 bank account numbers and sort codes. The attack exploited a SQL injection vulnerability in a legacy web application that TalkTalk had acquired through its purchase of Tiscali. CEO Dido Harding appeared on live television unable to confirm whether the data was encrypted. A 15-year-old and a 16-year-old were among those arrested. The ICO fined TalkTalk £400,000 — and the breach became the UK's defining cybersecurity incident of 2015.

data-breach talktalk
14 min read
All Posts Get in Touch