An API was apparently exploited to gain access to 37 million T-Mobile accounts. (Photo by Justin Sullivan/Getty Images)

News on Thursday that an application programming interface was exploited to gain access to the accounts of 37 million T-Mobile accounts has security researchers stressing the importance of API security in today’s digital economy.

In its SEC filing, T-Mobile said the unauthorized use of a single API was detected on Jan. 5 and shut down within 24 hours. T-Mobile also reports that the access began on Nov. 25, 2022.

“Unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches,” said Ilia Kolochenko, founder of ImmuniWeb.

The situation has been aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services, but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data, explained Kolochenko.

“Given that the exfiltration of 37 million customer records was visibly not detected and blocked by the anomaly detection system, we can surmise that the breached API belonged to the unknown, and thus, unprotected shadow assets,” said Kolochenko.

T-Mobile in its statement Thursday said that there’s no evidence that the bad actor breached or compromised the carrier’s network or system. However, while no passwords, payment card information, Social Security numbers, government ID numbers or other financial account information were compromised, T-Mobile said some basic customer information was obtained. The information included names, billing addresses, emails, phone numbers, date of births, account numbers, and information such as the number of lines on the account and service plan features

Dirk Schrader, vice president of security research at Netwrix, said APIs are like highways to a company’s data: highly automated and allowing access to large amounts of information. As digitalization heavily relies on this kind of automated interaction using APIs, and time-to-market often trumps security, the risk related to unmonitored APIs is likely to grow even more.

“Typically, mid-size organizations and enterprises have tens or hundreds of APIs in their infrastructure,” Schrader said. “With these technologies implemented, organizations lack to use mutual authentication. Additionally, when there are no controls in place that monitor the amount of data left by the domain via the API, it results into no control over the customers’ data. The type of data exfiltrated in T-Mobile’s case is set to allow ransomware gangs like the Cuba ransomware or any other ransomware group to improve the credibility of phishing emails send to potential victims. Such a dataset would also be of interest for malicious actors — so-called initial access brokers — that focus on collecting initial inroads to personal computers and company networks.”

Ivan Novikov, co-founder and CEO of Wallarm, added that it's important for organizations to understand the unique challenges that come with protecting APIs and use technologies specifically designed to mitigate the risk of similar breaches. As organizations continue to accelerate their digital transformation efforts and leverage more and more APIs, it's crucial that they have the right tools and expertise in place to protect their sensitive data. To prepare for and mitigate API security breaches, Novikov said organizations can consider these five steps:

  • Prioritize API security: Make API security a top priority because unauthorized access through a single API can lead to a significant data breach.
  • Regularly review and update security systems and policies: Organizations should regularly review and update their cybersecurity systems and policies to prevent sensitive customer information from being accessed.
  • Invest in cybersecurity capabilities: Implement robust security measures and invest in cybersecurity capabilities can help mitigate the risk of data breaches.
  • Have a plan in place for incident response: In the event of a security incident, organizations should have a plan in place to respond quickly and effectively, including notification of customers and relevant authorities.
  • Learn from security breaches: It's important for organizations to learn from security breaches by conducting investigations and identifying the root cause and taking appropriate measures to prevent future incidents.”