T-Mobile disclosed in an SEC filing Thursday night that a bad actor had accessed the data of 37 million customers through an Application Programming Interface.
The telecom giant said the hacker accessed “name, billing address, email, phone number, date of birth, and T-Mobile account number and information” but sensitive information such as credit cards and social security numbers were not exposed.
The filing stated that the bad actor had access to the API beginning November 25th, 2022, and was detected on January 5th, 2023, and shut down in a day. The hacker did not have access to any T-Mobile computer systems and only accessed customer information through the API.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company wrote in the filing.
According to the filing, T-Mobile has begun notifying the 37 million customers who were affected.