The T-Mobile Attack is the Wake-Up Call on API Security

“Every API you add is a new addition to your overall attack surface.”  

According to Reuters, an unknown criminal accessed and stole the personal information of an estimated 37 million customers. The vulnerability was present in one of T-Mobile's Application Programming Interfaces. T-Mobile revealed that the attacker started stealing data using the impacted API around November 25, 2022. The mobile carrier detected the malicious activity on January 5, 2023, and cut off the attacker's access to the API one day later.

Historical Context for the Attack

Here's a quick history of T-Mobile's past breaches, as reported by Bleeping Computer:

In March 2020, unidentified threat actors accessed T-Mobile employees' email accounts.

In February 2021, nefarious operatives accessed an internal T-Mobile application.

Following the August 2021 breach, stolen data was leaked online.

Seamless and elegant online customer experiences rely upon easy communication points between programs. That's where the Application Programming Interface, or API, comes in. If you are using a website, chances are there are one or more APIs behind the scenes. They allow for smooth online customer experiences while doing handoffs of internal data. Not to be overlooked though is the vital inclusion of privacy and security through encryption and authentication. So far, T-Mobile has not shared how the criminals exploited the API.

As we continue improving email security to block social engineering attempts, attackers are always looking for new system access points. And the increasingly popular target is APIs. Threat actors hunt and leverage flaws that allow them to retrieve data without authenticating. McKinsey Consulting estimates that companies accelerated their technology transformation efforts on average by seven years during the pandemic. APIs are likely a large part of those automation efforts, meaning the attack surface for criminals grew exponentially alongside the transformation.

In our experience, we've found that organizations don't properly document their APIs and often struggle to create comprehensive inventories. Gartner predicts that by 2023, API abuses will become the most frequent attack vector. Gartner also predicts by 2025, more than 50% of data theft will be due to insecure APIs.

API Security Should Be Your Top Priority in 2023

Continuous monitoring

Different layers of authentication between the APIs and the systems  

Red teaming / ethical hacking

Sources:

Reuters, “Bleeping Computer, “VentureBeat, “Gartner, “McKinsey & Company, “