Incident
T-Mobile API Abuse: 37 Million Records via a Single Endpoint
T-Mobile disclosed in its January 2023 8-K that an attacker exfiltrated personal data on 37 million customers by abusing a single API endpoint over six weeks. There was no infrastructure compromise — the API authentication and rate-limiting were the gap.
Key Finding
API authorisation is identity. When an API trusts caller-supplied identifiers without strong authentication and rate limits, identity architecture has failed even though no IdP was compromised.
In its 19 January 2023 8-K filing, T-Mobile disclosed that an unauthorised actor obtained personal data on approximately 37 million customer accounts by abusing a single API endpoint between approximately 25 November 2022 and 5 January 2023 — roughly six weeks of unrestricted access. The endpoint returned customer name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account.
The breach is notable not because the systems were poorly built — they were running — but because the identity-and-access boundary on the API was insufficient for the data the API returned. There was no MFA bypass, no stolen credential, no malware. There was an API endpoint that trusted caller-supplied identifiers, lacked behavioural anomaly detection on bulk-record retrieval, and had retention measured in days rather than years.
From an identity-architecture standpoint, the T-Mobile incident is a recurring class of breach that does not get the attention of dramatic IdP-compromise events but accounts for an enormous fraction of records exposed each year. The fix is not new technology; it is treating API authentication as a first-class identity surface with the same design discipline applied to workforce and customer identity.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation