T-Mobile disclosed that a hacker gained access to a treasure trove of personal information belonging to 37 million customers in a financial filing on Thursday.
The telecommunications behemoth claimed that the data theft began on November 25 and that the “bad actor” stole “name, billing address, email, phone number, date of birth, T-Mobile account number, information such as the number of lines on the account and plan features.”
T-Mobile claimed in the SEC filing that it discovered the breach on January 5—more than a month after it occurred—and that a day later it had fixed the issue the hacker was taking advantage of.
According to T-Mobile, the hackers misused an application programming interface (API) rather than breaking into any company systems.
There is currently no proof that the bad actor was able to breach or compromise our systems or our network, the company said in a statement. “Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time.”
Since 2018, T-Mobile has experienced eight hacks. The most recent incident occurred in 2022 when a group of hackers going by the name of Lapsus$ managed to gain access to the business’ internal tools. This gave them the opportunity to perform so-called SIM swaps, a type of hack in which hackers take control of a victim’s phone number and then attempt to use it to reset and access the target’s sensitive accounts like email or cryptocurrency wallets.
There are 110 million T-Mobile users in the US. Requests for comment from a T-Mobile spokesperson went unanswered.