Security News

Passwords are a mess, MFA can be more of a stopgap than a solution to phishing and running your own public key infrastructure for certificates is a lot of work. Ironically, if you're a security-aware organization in a regulated industry that already did the hard work of adopting the previous gold standard - smartcards that hold a security certificate and validate it against a certificate authority on your infrastructure - you might find yourself stuck running ADFS as you try to move to the new FIDO keys.

T-Mobile and millions of its customers have been the victims of another data breach - this one apparently carried out by hackers who knew how to exploit an application programing interface used by the carrier. The API did not leak other personal data such as payment card numbers, Social Security numbers, driver's license numbers, passwords, or PINs, according to T-Mobile.

US mobile phone provider T-Mobile has just admitted to getting hacked, in a filing known as an 8-K that was submitted to the Securities and Exchange Commission yesterday, 2023-01-19. On January 5, 2023, T-Mobile US [] identified that a bad actor was obtaining data through a single Application Programming Interface without authorization.

Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System hijacking. Kaspersky, which carried out an analysis of the malicious artifact, said the feature is designed to target specific Wi-Fi routers located in South Korea.

T-Mobile US today said someone abused an API to download the personal information of 37 million subscribers. A regulatory filing [PDF] disclosed one or more miscreants were able to access potentially the "Name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features" of each affected customer.

T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming...

Argishti Khudaverdyan, the former owner of a T-Mobile retail store, was sentenced to 10 years in prison for a $25 million scheme where he unlocked and unblocked cellphones by hacking into T-Mobile's internal systems. "Removing the unlock allowed the phones to be sold on the black market and enabled T-Mobile customers to stop using T-Mobile's services and thereby deprive T-Mobile of revenue generated from customers' service contracts and equipment installment plans."

Appdome unveiled the results of a global survey that shares the views of 25,000 consumers in 11 countries on mobile app use and consumer expectations of mobile app security. With 53.5% of consumers now preferring mobile apps to other digital channels, the report is incredibly timely for all brands with mobile strategies.

Cybersecurity researchers have shed light on a darknet marketplace called InTheBox that's designed to specifically cater to mobile malware operators. "The automation allows other bad actors to create orders to receive the most up to date web injects for further implementation into mobile malware," Resecurity said.

Lookout researchers have discovered nearly 300 Android and iOS apps that trick victims into unfair loan terms, exfiltrate excessive user data from mobile devices, and then use it to pressure and shame the victims for repayment. Aimed at consumers in developing countries - Colombia, India, Indonesia, Kenya, Mexico, Nigeria, the Philippines, Thailand, and Uganda - the apps and their operators are taking advantage of victims' inability to qualify for a traditional loan.