In a regulatory filing yesterday, the company confirmed that the hackers had access to its data through improper use of a developer API since November 25. On January 5, T-Mobile spotted the issue and raised it with law enforcement and cybersecurity experts. Fortunately, the company believes that the most sensitive data (credit card info, Social Security numbers and passwords) weren’t compromised. But the hacker has taken names, billing addresses, email addresses, phone numbers, account numbers and dates of birth.
How was the hack done?
As we mentioned above, the hacker used a developer API (application programming interface) to gain access to the data. You hear about APIs a lot, as these are tools companies provide to developers to integrate their third party applications with. For example, any time you see a “Sign in with Google” button on an app that requires an account, that’s an API. It’s small convenience features that enable developers to access data for streamlining certain processes, or expand the functionality of their work. So you can imagine that if an API is not properly secured from certain bad actors, then someone could pose as a developer and use it to obtain sensitive information.
How to find out if you’ve been affected?
Much like a lot of these stories, how to find out whether you’ve been impacted by this specific hack is pretty tricky. T-Mobile has confirmed that it is notifying affected customers, so the only way to really know is to wait. In this situation, if you want to be proactive and find out for yourself, be patient. I’m confident this breach will be added to haveibeenpwned.com and you can find out what has happened from there.
What should you do now?
For anyone concerned right now with a desire to do something now, there are a few things you can do.
Change your password: Not just your T-Mobile account, but take this opportunity to review your other passwords.Turn on any two-factor authentication options: Be it verification by text or an authenticator app, the additional step will lock out any bad actors.Setup a password manager: Dashlane has never been breached before and it’s super strong password encryption means that even when someone tries to force a password reset via email address, the battle for your account is a whole lot harder for them.