A breach at T-Mobile, discovered seven days ago, exposed the personal information of two million customers.
T-Mobile, the country's third largest wireless carrier, is still in the process of picking up the pieces around a cybersecurity incident last week that may have inadvertently leaked information on two million of its customers.
The company said last Thursday that customers' personal information, including their names, billing zip codes, phone numbers, email addresses, account numbers, and account type - whether it was prepaid or postpaid - may have been leaked via what the company called "unauthorized access." Some reports have blamed the issue on a vulnerable API, or application programming interface, although the root cause of the issue is uncertain.
T-Mobile said its cybersecurity team observed the unauthorized access and put a stop to it a week ago, last Monday. It's unclear exactly how long the issue lingered until it was caught however.
The company downplayed the incident last week by saying that no user financial data, Social Security numbers, or passwords were implicated in the incident but according to reports that may not be entirely true.
How to Secure Personally Identifiable Information against Loss or Compromise
The Vice publication Motherboard, citing a discussion of the breach with a company spokesperson, said Friday that encrypted passwords were included among the compromised data, opening up the potential they could be hacked, possibly via a brute force attack.
"Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information," the company wrote in a letter to customers on its site, "We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access. We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you."
The breach compromised the data of three percent of T-Mobile's 77 million customers, Reuters, who also reported on the breach, said last week.
The issue was compounded over the weekend when news of another issue, related to mobile PIN numbers for T-Mobile customers, surfaced. The issue could have revealed PIN numbers for customers of both T-Mobile and AT&T if abused. It stemmed from Apple's online store verification process.
"Apple’s online iPhone store exposed the partial Social Security number or account PIN of any T-Mobile customer to hackers. After shoppers initiate an iPhone purchase and select monthly payment installments through T-Mobile, Apple’s site takes shoppers to an authentication form that asks for their T-Mobile cell number, and the account PIN or last four digits of their Social Security number,” BuzzFeed, which broke the news on Friday, said.