T-Mobile disclosed in a regulatory filing Thursday that a hacker obtained data from about 37 million customer accounts using an API, or application programming interface.
The Bellevue, Wash.-based wireless giant said its investigation thus far found that the bad actor accessed “a limited set of customer account data” including name, billing address, email, phone number, date of birth, and T-Mobile account number.
The hacker did not breach or compromise the company’s systems or network, the company said, and was not able to access data related to payment information, social security numbers, driver’s licenses, or other financial info.
The hack started on or around Nov. 25, and T-Mobile identified the bad actor Jan. 5.
“We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it,” T-Mobile wrote in the filing.
The investigation is ongoing but T-Mobile said the malicious activity appears to be contained.
T-Mobile suffered a major hack in 2021 that exposed personal details of more than 50 million people. The company paid $350 million to settle class-action lawsuits brought over that hack. It was also hacked by the Lapsus$ hacking group last year.