T-Mobile data breach shows API security can’t be ignored

Check out all the on-demand sessions from the Intelligent Security Summit here.

Enterprise security isn’t easy. Small oversights around systems and vulnerabilities can result in data breaches that impact millions of users. Unfortunately, one of the most common oversights is in the realm of APIs. 

Just yesterday, T-Mobile revealed that a threat actor stole the personal information of 37 million postpaid and prepaid customer accounts via an exposed API (which they exploited between November 25, 2022 and January 5, 2023). The vendor didn’t share how the hackers exploited the API. 

This incident highlights that API security should be at the top of the agenda for CISOs and organizations if they want to safeguard customer data from falling into the wrong hands. 

The trend of API exploitation 

With cloud adoption increasing dramatically over the past few years, analysts have long warned enterprises that a tidal wave of API exploitation has been brewing. Back in 2021, Gartner predicted that in 2023, API abuse would move from infrequent to the most frequent attack vector. 


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

These predictions appear to be accurate, with research showing that 53% of security and engineering professionals reported their organizations experienced a data breach of a network or app due to compromised API tokens. 

In addition, just a month ago, hackers exposed the account and email addresses of 235 million Twitter users after exploiting an API vulnerability originally shipped in June 2021, which was later patched. 

As threat actors look to exploit APIs more often, organizations can’t afford to rely on legacy cybersecurity solutions to protect this vast attack surface. Unfortunately, upgrading to up-to-date solutions is easier said than done. 

“Unauthorized API access can be extremely difficult for organizations to monitor and investigate — especially for enterprise companies — due to the sheer volume of them,” said Chris Doman, CTO and cofounder of Cado Security. 

“As more organizations are moving data to the cloud, API security becomes even more pertinent with distributed systems,” Doman said. 

Doman notes that organizations looking to insulate themselves from incidents like T-Mobile experienced need to have “proper visibility” into API access and activity beyond traditional logging. 

This is important because logging can be sidestepped — as was the case with a vulnerability in AWS’ APIs that allowed attackers to bypass CloudTrail logging. 

How bad is the T-Mobile API data breach? 

While T-Mobile has claimed that the attackers weren’t able to access users’ payment card information, passwords, driver’s licenses, government IDs or social security numbers, the information that was harvested provides ample material to conduct social engineering attacks. 

“Although T-Mobile has publicly disclosed the severity of the incident, alongside its response — cutting off threat-actor access via the API exploit — the breach still compromised billing addresses, emails, phone numbers, birth dates and more,” said Cliff Steinhauer, director of information security and engagement at NCA. 

“It’s basic information, but just enough to map out and execute a convincing enough social engineering campaign that can strengthen bad actors’ capacity for new attacks,” Steinhauer said. 

These attacks include phishing attacks, identity theft, business email compromise (BEC) and ransomware.

Why do API breaches happen?

APIs are a prime target for threat actors because they facilitate communication between different apps and services. Each API sets out a mechanism for sharing data with third-party services. If an attacker discovers a vulnerability in one of these services, they can gain access to the underlying data as part of a man-in-the-middle attack. 

There is an increase in API-based attacks — not because these elements are necessarily insecure, but because many security teams don’t have the processes in place to identify and classify APIs at scale, let alone remediate vulnerabilities.

“APIs are designed to provide ready access to applications and data. This is a great benefit to developers, but also a boon for attackers,” said Mark O’Neill, VP analyst at Gartner. “Protecting APIs starts with discovering and categorizing your APIs. You can’t secure what you don’t know.”  

Of course, inventorying APIs is just the tip of the iceberg; security teams also need a strategy to secure them. 

“Then it involves the use of API gateways, web application and API protection (WAAP), and application security testing. A key problem is that API security falls into two groups: engineering teams, who lack security skills, and security teams, who lack API skills.” 

Thus, organizations need to implement a DevSecOps-style approach to better assess the security of applications in use (or in development) within the environment, and develop a strategy to secure them. 

Identifying and mitigating API vulnerabilities 

One way organizations can start to identify vulnerabilities in APIs is to implement penetration testing. Conducting an internal or third party-led penetration test can help security teams see how vulnerable to exploitation an API is, and provide actionable steps on how they can improve their cloud security posture over time.

“For all types of software, it’s vital that companies use updated code and check the security of their systems, e.g., by arranging penetration testing — a security assessment that simulates various types of intruders … the goal of which is to elevate the current privileges and access the environment,” said David Emm, principal security researcher at Kaspersky.

In addition, it’s a good idea for organizations to invest in incident response, so if an API is exploited, they can respond quickly to limit the impact of the breach.

“To be on the safe side when a company is faced with an incident, incident response services can help minimize the consequences, in particular by identifying compromised nodes and protecting the infrastructure from similar attacks in the future,” Emm said.

The role of zero trust 

Unauthenticated, public-facing APIs are susceptible to malicious API calls, where an attacker will attempt to connect to the entity and exfiltrate all the data it has access to. In the same way that you wouldn’t implicitly trust a user to access PII, you shouldn’t automatically trust an API either.  

That’s why it’s essential to implement a zero trust strategy, and deploy an authentication and authorization mechanism for each individual API to prevent unauthorized individuals from accessing your data. 

“When you have sensitive data (in this case customer phone numbers, billing and email addresses, etc.) sprawled across databases, mixed with other data, and access to that data not properly managed, these types of breaches are hard to avoid,” said Anushu Sharma, co-founder and CEO of Skyflow. 

“The best-run companies with the most sensitive data know that they must adopt new zero-trust architectures. Bad actors are getting smarter. Adopting new privacy technology isn’t an option anymore, it’s table stakes,” Sharma said.

Combining access control frameworks like OAuth2 with authentication measures such as username and password and API keys, can help enforce the principle of least privilege and ensure that users have access only to the information they need to perform their role.

Originally appeared on: TheSpuzz