T-Mobile alerts millions of its customers to a breach of its website that resulted in subscriber names, zip codes, phone numbers, email addresses and account numbers being stolen. Claims no customer financial data or social security numbers were accessed.
The carrier said three per cent of its customers were affected, or about two million to 2.5 million of its 77 million customers.
“Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information,” T-Mobile wrote in its advisory.
A T-Mobile spokesperson told Threatpost that the attack targeted a specific leaky API tied to an undisclosed part of its website. The spokesperson said that the attack was quickly identified, shut down and mitigated against. T-Mobile said intruders launched the attack from IP addresses based outside the United States, but declined to reveal the country of origin.
“It was discovered by our security team and almost immediately shut down,” T-Mobile told Threatpost. “So it’s not an ongoing issue and there’s no additional threat. This was a one off that was dealt with extremely fast.”
“On August 20, our cyber-security team discovered and shut down an unauthorised access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised,” the company said in a statement on Friday.
“However, some personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid),” it added.
All affected customers have been, or shortly will be, notified, said the company.
It is unclear whether the exposed data was actually stolen by the hackers.
Meanwhile, a T-Mobile representative informed that “encrypted passwords” had been exposed to hackers.
Some may recall that this is not the first time this year that T-Mobile’s cyber security practices have been called out. Back in May, security researchers found a bug in T-Mobile’s website which allowed any Tom, Dick, or Harry to access the personal data of customers using just a phone number.