“Every API you add is a new addition to your overall attack surface.”
Theresa Payton, CEO of Fortalice Solutions to the Wall Street Journal
T-Mobile announced on Thursday, January 19 that it was reviewing a November 2022 data breach, potentially impacting 37 million postpaid and prepaid accounts through one of its Application Programming Interfaces, or APIs. This advisory is intended to help our clients understand the urgent need to understand and review their API security, while also summarizing recent T-Mobile breaches.
According to Reuters, an unknown criminal accessed and stole the personal information of an estimated 37 million customers. The vulnerability was present in one of T-Mobile's Application Programming Interfaces. T-Mobile revealed that the attacker started stealing data using the impacted API around November 25, 2022. The mobile carrier detected the malicious activity on January 5, 2023, and cut off the attacker's access to the API one day later.
To better understand the current breach, it's essential to review the several recent attacks that have hit T-Mobile. According to Bleeping Computer, this is their eighth breach since 2018. In fact, just a few days before T-Mobile announced its latest data breach, CNET reported that time was running out to apply for customer compensation from a past breach. Unfortunately, this has become an all-too-familiar occurrence.
In 2019, T-Mobile exposed prepaid customers' data.
In March 2020, unidentified threat actors accessed T-Mobile employees' email accounts.
In December 2020, unknown criminals accessed customer information, such as phone numbers and call records.
In February 2021, nefarious operatives accessed an internal T-Mobile application.
In August 2021, hackers breached testing environments and laterally moved into T-Mobile's systems through brute force.
Following the August 2021 breach, stolen data was leaked online.
In April 2022, the Lapsus$ extortion gang used stolen credentials to access their systems.
Seamless and elegant online customer experiences rely upon easy communication points between programs. That’s where the Application Programming Interface, or API, comes in. If you are using a website, chances are there are one or more APIs behind the scenes. They allow for smooth online customer experiences while doing handoffs of internal data. Not to be overlooked though is the vital inclusion of privacy and security through encryption and authentication. So far, T-Mobile has not shared how the criminals exploited the API.
As we continue improving email security to block social engineering attempts, attackers are always looking for new system access points. And the increasingly popular target is APIs. Threat actors hunt and leverage flaws that allow them to retrieve data without authenticating. McKinsey Consulting estimates that companies accelerated their technology transformation efforts on average by seven years during the pandemic. APIs are likely a large part of those automation efforts, meaning the attack surface for criminals grew exponentially alongside the transformation.
T-Mobile's breach is a wake-up call for every organization. If you have a website or mobile app, you have a unique and hidden problem. You could be leaking data to third parties and violating privacy laws. Or you could be susceptible to an attack where criminals can access confidential customer and company data and systems.
In our experience, we’ve found that organizations don’t properly document their APIs and often struggle to create comprehensive inventories. Gartner predicts that by 2023, API abuses will become the most frequent attack vector. Gartner also predicts by 2025, more than 50% of data theft will be due to insecure APIs.
API development is incredibly popular due to accelerated digital transformation efforts. APIs play a key role in internet and mobile apps and Internet-of-Things (IoT) interactions. When dealing with APIs, it’s important to understand that internal threats create external attack opportunities. The most significant data leaks are due to faulty, vulnerable, or hacked APIs, which can reveal medical, financial, and personal data to the public. Additionally, various attacks can occur if an API is not secured correctly, making API security a vital aspect for data-driven businesses today.
Begin with the human user stories. Documenting them is vital to understand how each technology component will be used and where the data needs extra layers of protection.
All design efforts should assume a future breach. This forces your teams to play out what would happen and how to treat the data differently. Data segmentation and layers of encryption play critical roles in mitigating the downstream impacts of an API compromise.
Understand the software bill of materials (SBOM): Request the SBOMs from your third-party vendors to ensure you have a full picture of the architecture.
Continuous monitoring
Continuous authorization
Different layers of authentication between the APIs and the systems
Behavior-based analytics to baseline human behavior to detect anomalies
Red teaming / ethical hacking
Wall Street Journal, “T-Mobile Breach Highlights Common Corporate Security Weakness.” January 23, 2023.
Reuters, “T-Mobile data breach exposes about 37 mln accounts.” January 20, 2023.
Bleeping Computer, “T-Mobile hacked to steal data of 37 million accounts in API data breach.” January 19, 2023.
VentureBeat, “Why API security is a fast-growing threat to data-driven enterprises.” November 23, 2022.
Gartner, “Predicts 2022: APIs Demand Improved Security and Management.” December 6, 2021.
McKinsey & Company, “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever.” October 2020.