T-Mobile Hacked via API Security Breach

API security breaches have become increasingly prevalent in recent years with the rapid increase in the implementation and use of APIs. T-Mobile’s recent breach is one of the many major security breaches executed through the exploitation of a relatively simple API vulnerability.

One thing that most security incidents have in common is that they are entirely preventable. That appears to be the case with this breach – which happens to be -Mobile’s 8th breach in 5 years.

The State of API Security Explained

In a recent interview, Seemant Sehgal, Founder & CEO of BreachLock, a global leader in Pentesting as a Service (PTaaS), explains how the T-Mobile breach was executed, and expands on the state of API security. Seemant discusses strategies with Cybercrime Magazine’s Steve Morgan that security leaders can take to prevent similar breaches from happening in the future, such as conducting an API pen test.

Need help with API Penetration Testing? Schedule a discovery call today with one of our API security experts.

Watch the full interview with Cybercrime Ventures here, or watch and read along with the full transcript below.

Steve Morgan

I’m Steve Morgan, Founder of Cybersecurity Ventures and Editor in Chief at Cybercrime Magazine. I’m here today with Seemant Sehgal, Founder and CEO of BreachLock, developers of a world-class, award-winning Penetration Testing as a Service (PTaaS) platform.

Seemant, welcome – great to have you with us again! Not a lot of time goes by between these big hacks, and the recent T-Mobile data breach was a big one. We’re talking about 7 million customers who were affected. Typically, we see updates, so it’s potentially more. What happened, Seemant?

Seemant Sehgal

I was looking at a recent article that said that since 2018, T-Mobile has been hacked about 8 times. Every time there’s a reason. Bear in mind, Steve, that they have an obligation to report these incidents because of the industry that they operate in, so there might be a lot of other companies that are also undergoing the same, but it doesn’t come to the surface. With respect to this hack, it was on the API side of things – very basic access management. There was an API that was just not coded correctly with proper access and that’s what led to this disaster.

Steve Morgan

Well, you mention APIs and API security in general, and I think we’ve learned they can’t be ignored, yet I wonder how much people are actually paying attention to that. What’s your take? Do you hear CISOs and security teams talking about that? Is API security enough of a focus or not?

Seemant Sehgal

I do, Steve, but when you compare the scale at which we are opening our applications to one another, and just the exponential rise of the use of APIs, I think there is an obvious lack. Although the OWASP Top 10 for API security was published in 2019, we see from the tests that we do that organizations are still playing catch up. There are so many ways in which APIs are now being implemented that there’s always some lag in terms of the best practices being implemented.

To your point, yes, we do see vulnerabilities in the API area and some of them are basic ones that can be easily taken care of. In fact, every year, we publish a penetration testing intelligence report, and there is a specific section dedicated to API pen test results showing the top 10 findings in the API security area for 2022, and we’re going to do the same thing in 2023.

Steve Morgan

In general, Seemant, not necessarily with this particular hack, could some of the large breaches that we learned about have potentially been avoided if companies were more rigorous with their pentesting?

Seemant Sehgal

I have thought about this a lot, Steve, and you know my conclusion is that not tested is not secure. You can deploy millions to put up your defense, but if it’s not going to come to your rescue, then it simply doesn’t work. The way you can find out if it works is by testing it, right? It’s not very uncommon for nation-state armies to do these drills where they test their defenses. What companies need to do is test it, and if they test it, they will know for a fact if works or not – it’s rather simple.

If you look at it from a hacker’s perspective, it’s a never-ending game, because hackers are not stupid. They’re looking for low-hanging fruit. If things are simple, they’re going to target the simple things. They’re not there to produce another Stuxnet if you can fall for a cross-site scripting (XSS) or cross-site refresh forgery (CSRF) XSS combination that allows a login takeover, for example. They’re not going look for a zero-day vulnerability in your system if there’s an open door waiting to welcome them, so definitely with security testing you can proactively find and fix your next cyber breach.

Steve Morgan

Well, Seemant, we’re going to have you come on again next quarter to talk about the next biggie – hopefully not for T-Mobile, but I know there will be something to talk about.

Seemant Sehgal