T-Mobile Announces 37 Million Accounts Hacked in Its Eighth Data Breach

T-Mobile has revealed that a threat actor had stolen personal information from 37 million customer accounts through one of its Application Programming Interfaces (APIs). The attack began around November 25, 2022. T-Mobile detected the malicious activity on January 5, 2023, and cut off the attacker’s access to the API a day later. The company described the data stolen as “basic customer information.” The API only allowed access to “a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features,” the carrier said. T-Mobile has reported the incident to U.S. federal agencies, is working with law enforcement to investigate the breach, and is notifying customers who might have been affected. “Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said. This is the eighth T-Mobile data breach since 2018.