Attackers exploited an unprotected API endpoint starting Nov 25 2022, exfiltrating data over weeks undetected. 37 million customer records exposed including names, phone numbers, billing addresses, birthdates, email addresses, T-Mobile account numbers and plan features. Breach detected Jan 5 2023; public disclosure Jan 19 2023. T-Mobile’s 8th breach since 2018. FCC and multi-state regulators investigated. T-Mobile paid $15.75M penalty in 2024 settlement covering multiple breaches. Previous 2021 breach via SSH brute force exposed 76M records.