top of page

If you leave your doors unlocked is it really a breach?

Updated: Apr 17, 2023

T-Mobile recently faced a security incident that exposed the data of approximately 37 million customer accounts, but those calling it an “attack” may be mistaken. We should call it what it is an “API exploitation”.


For those who haven’t followed the incident, T-Mobile received a significant amount of media coverage in January, after the wireless giant acknowledged that a “bad actor” accessed information of about 37 million customers. Several media outlets outlined the incident as an “attack” and compared it to previous incidents, but this does not necessarily follow the common definition of an attack.

The Desk, states the “bad actor” that T-Mobile blamed for the incident simply exploited a back door that T-Mobile developers intentionally left and used it to harvest the data of millions of customers.

So while the “bad actor” did indeed abuse the API, the media coverage calling it a hack resulting in a breach is a little misleading and leads to the question - if you leave doors unlocked is it really a breach?

There was no malware or other form of cyberattack, this was simply an “API exploitation”. T-Mobile left a key under the mat and a thief used it to rob their house, no forced entry and definitely no forcible attack.

While it is trendy for media outlets to call this a well orchestrated cyberattack, the reality is T-Mobile was not careful in securing their APIs. The “bad actor” did not need to do any elaborate hacking, but simply connected to T-Mobile’s API and accessed the available data using easily available information.

At eXate, we enable technology teams to implement the security patterns into their architectures that allow them to move fast and risk nothing. APIgator is built to provide the extra layer of security that even if access to an API is compromised (or not in T-Mobile’s case), the data traveling through the API is instantly secured, alarms raised and rendered useless to the unauthorised user.

If T-Mobile had used APIgator - their customers' data would still be safely with T-Mobile.

Create strength in depth for your API programme by protecting your data in real-time, don't just protect the API, protect the data.

To achieve API security, JUST EXATE YOUR DATA!


Request a Demo

Schedule a demo with one of our product experts today to learn about APIgator and how eXate automates and applies privacy and security to sensitive data in the right place and in the right form.



bottom of page