API breach at T-Mobile
As more and more automation is being baked into IT systems, APIs (or Application Programming Interfaces) are becoming ubiquitous. Data integration, synchronization and transfer between apps are now routinely handled via API calls, usually over HTTPS.
Manipulating API parameters can easily disclose massive amounts of data, as witnessed in this month's breach at T-mobile, where hackers had access to an unsecured API endpoint between November 25, 2022 and January 5, 2023, allowing them to steal 37 million postpaid and prepaid customer accounts via an exposed API (which they exploited between ).
T-mobile did not share how the hackers exploited the API, but it appears the data records are fortunately not including payment card information, passwords, driver’s licenses, government IDs or social security numbers. Nevertheless, the harvested data will still offer plenty of opportunity to conduct social engineering attacks.
As API-fication grows, many industry analysts predict API will become a significant attack vector. Furthermore, it appears APIs are especially prone to software bugs, as they are mostly handled by outsourced application development initiatives, which tend to be less scrutinized or managed by internal IT security teams.
For ex. take the recent revelations on vulnerabilities in car companies' APIs, as reported by security researcher Sam Curry and others. The authors described how trivial it was to get hold of sensitive PII information via publicly exposed web APIs. Yet the type of errors made during API design and development mostly boiled down to reinventing the wheel: in many of the reported vulnerabilities, the developers would build user management and authentication functions into the application, instead of relying on industry standard practices for handling authentication and authorization via identity management solutions.
In the case of the latest T-mobile breach, it is still unclear what led to the data exposure, but the time span during which the data was available to hackers suggests it's important for each organization to monitor its attack surface, APIs becoming a big par of it.