Matthew Keys

There's one big detail about T-Mobile's latest security incident that everyone in the media is getting wrong:

The company wasn't hacked. Someone exploited T-Mobile's API and collected data on millions of customers that the company freely gave away.

People should be asking why they did this, but we won't get there if the company is seen as a victim of a "hack" that wasn't. https://thedesk.net/2023/01/t-mobile-compromise-api-was-not-hacked/

T-Mobile's latest customer data breach wasn't a "hack"

There's a pretty big part of the latest T-Mobile security breach that journalists are getting wrong.

The Desk
Jan 23, 2023 at 6:27pmWeb
Show threadrobinJan 23, 2023

@matthewkeys
I think this is, overall, an important distinction and the right framing.

But since I love pointless semantic arguments, I wonder where the line is between a "hack" and the company giving the data away by mistake? In a sense, either is someone gaining unintended access, and many hacks are the result of e.g. waltzing onto unsecured servers, finding credentials printed in public logs etc. Every hack is a company messing up, and a hacker knowing where to look & prod.

Show threadD IngramJan 23, 2023
@matthewkeys Gee, that sounds very familiar... Same flaw in Australian telco breach https://terem.tech/optus-api-hack-analysis/
Optus API Hack - Analysis - Terem

The Optus hack is the third biggest breach of Australian consumer Personally Identifiable Information (PII) in history, with 9.8m customer records being exposed.  Optus maintains that the hack was a sophisticated attack, using rotating IP addresses to carry out the attack.  The Minister For Cyber Security, Clare O’Neil, and the Federal Government have slammed Optus, […]

Terem