According to the company, the data exposed included name, billing zip code, phone number, email address and account number. It did not include financial data or social security numbers.
In a customer service advisory posted on its website, T-Mobile informed subscribers that its security team detected “an unauthorized capture of some information” and reported the incident to law enforcement. A T-Mobile spokesperson told Threatpost that the unauthorized access appeared to originate from outside the United States. The spokesperson explained that the attacker took advantage of “a specific leaky API tied to an undisclosed part of its website”, which was promptly addressed once identified.
T-Mobile has over 77 million subscribers, meaing data for approximately 3% of them was put at risk because of this incident.