RALEIGH, N.C. (WNCN) — Personal data from millions of T-Mobile users has been stolen in an attack that began in Nov. 2022 and wasn’t stopped until the first week of January. 

The stolen data includes names, addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and other account information. 

The company revealed those losses in a filing with the Securities and Exchange Commission where it said that social security numbers, driver’s license and credit card information remained secure. 

It said the breach occurred over a seven week period during an Application Programming Interface attack. 

“API attacks can be low and slow,” said Edward Roberts of NEOSEC, a company which provides API protection. “Over time you can scrape data from them.” 

Companies keep information protected in data centers and breaching them is a difficult process. However, many businesses use API’s.   

Think of them as electronic roadways that allow data to flow between applications which talk to each other, and the data an API carries can be easier to intercept. 

“If a bandit is on that roadway, they can steal that data and give you a security breach problem,” said Roberts. 

It’s estimated 80 percent of internet traffic now travels on those API’s. 

Consumer Investigator Steve Sbraccia asked Roberts what can we as consumers do to protect that data, if anything at all? 

“That’s the tough part,” he said. “Consumers are at the mercy of organizations.”    

That stolen data is enough for scammers to try and socially engineer us. 

The non-profit National Cybersecurity Alliance says there are steps that customers can take to reduce those attacks.

The tips include:

  • Enable multi-factor authentication on any account that permits it  
  • Watch for phony T-Mobile phishing emails asking you to click links 
  • Be alert to T-Mobile impersonators calling asking for   or log-in info  

After the breach became public, class action lawsuits were filed in California and Florida claiming the company was negligent and careless with customer info which wasn’t encrypted.  

T-Mobile did not comment on the litigation.