No Security Without API Gateway: A Guide to the Right Order in API Infrastructure
37 Million Customers Lost, 41 Days of Invisible Attack: Rethinking API Security from the T-Mobile Case
January 2023. T-Mobile disclosed an API data breach affecting 37 million customer accounts. The attacker had begun "unauthorized" use of an API on November 25, 2022. For 41 days, no one noticed. Names, addresses, phones, emails, birth dates—everything leaked.
How did this happen? The answer is simple but painful: They could not protect an API whose existence they did not know.
Salt Security’s analysis is clear: This was a "Shadow API" case. Security teams were unaware of this API’s existence, the data it processed, and its security posture. It was outside the scope of the API management and security program.
And this was T-Mobile’s 8th breach. Since 2018. They had agreed to pay $350 million for a 2021 breach.
But the real question is: Didn’t T-Mobile have an API Security product? They probably did. So why didn’t it work?
Field Reality: "Should We Buy an API Security Product?"
In meetings over the past few months with many banks, public agencies, and defense industry customers—with security teams, infrastructure, system architects, service managers, and enterprise architects—I saw a common pattern. The same question: "Should we buy an API Security product?"
From what they said: they had attended many presentations, run PoCs, but still had no clear answers. Every API Security vendor tells a different story; they couldn’t tell which was right. Some talk about behavior analysis, some API Discovery, some promise ML-based threat detection, some say "full visibility" but don’t (or can’t) explain in detail with real scenarios. Some even claimed they “catch problems in mid-air” (they literally told this to one of our customers).
I asked the same question in every meeting: "When you say API Security, what do you mean and what do you expect?" I asked this not only to active customers but also to experts when the topic turned to security.
When we went into details, their real needs were:
- To know all APIs exposed and consumed inside and outside the organization (lately they also want to master internal API inventory).
- To master API inventory.
- To know who owns and is responsible for each API (or at least who to hold accountable when something goes wrong).
The behavior analysis and threat detection capabilities that API Security products offer? That was second, or even third—the cherry on top.
The answer was always the same: Mastering inventory is the top priority.
The T-Mobile case shows exactly that: Without inventory, the attack stayed invisible for 41 days.
So What Exactly Happened at T-Mobile?
For 41 days the attack went undetected because:
- The API was outside central management (shadow API).
- It did not go through a gateway.
- There was no visibility.
- No behavioral baseline had been built.
- Anomaly detection was not in place.
Result: The API Security product was not even aware of this API’s existence. How could it protect it?
"No API Security product can see traffic that does not pass through an API Gateway. It cannot protect what it cannot see. It is useless for Shadow APIs."
So the order is critical:
- Gateway first → All traffic through a single point.
- Then Management → Build inventory, assign ownership.
- Security last → Only then does protection make sense.
Otherwise you buy an expensive API Security product and, like T-Mobile, may not see the attack for 41 days.
The Hard Truth: How API Security Products Work
A crucial point must be understood here. API Security products are not blind, but they need eyes to see.
They need:
- To operate by observing API Gateway or WAF traffic.
- To analyze HTTP request–response pairs.
- To learn normal behavior patterns.
- To detect anomalies.
If you have no central traffic point, the security product stays blind.
These products require full visibility to do:
- API Discovery (which APIs exist?)
- Behavioral Analysis (what is normal?)
- Anomaly Detection (where is the deviation?)
- Shadow API Detection (where are unregistered APIs?)
- Threat Intelligence (what are the attack patterns?)
Is the SOA Story Repeating?
When I saw this situation, my years of experience on the SOA side came to mind.
Back then everyone was talking about SOA. Global vendors sold products under the SOA name. Enterprise Service Bus (ESB) products, SOA governance platforms, service registries… Millions of dollars were spent.
In the end, most projects built with those products failed. The ones that continued did so because no one dared touch them.
Why did they fail?
Because they trusted the product and said "the product will solve everything." Global vendors marketed their products very well as SOA. Sales presentations were great. Demos were impressive.
But the forgotten truth was:
SOA (Service-Oriented Architecture) is not a product; it is an architectural approach or a philosophical paradigm.
SOA is not a product; it is an architectural approach for designing systems.
Like Lego pieces, you have to build it. You must first understand the architectural principles, then define your governance model, then build your infrastructure step by step.
Buying a product did not mean having an SOA architectural approach.
Is the same movie now repeating in API Security?
Many organizations act with this logic:
- "Let’s buy an API Security product first; security is the priority."
- "We’ll think about the gateway later."
- "Inventory will emerge gradually." In other words: we’ll figure it out on the way. (That may work for non-technical topics, but in technical architecture it often ends in disaster.)
This is the opposite of the right approach. It’s like buying an ESB and saying "we have SOA now."
The result is the same: Money is spent, expectations are not met, shadow APIs remain invisible, and the project is shelved.
What About the Data?
It’s not only field observations; the data points to the same reality:
Gartner 2024 Market Guide for API Protection:
"Shadow and dormant APIs cause, on average, larger data leaks than other breaches."
Salt Security & LevelBlue Research (2024):
"94% of organizations experienced a security issue in production APIs in the past year. Many businesses have limited visibility into API inventory."
Dark Reading (November 2024):
"The most urgent problem for organizations is the lack of inventory of all external APIs. Attackers are exploiting this gap."
OWASP API Security Top 10:
"#9 Improper Inventory Management: Poor management of API assets. Lack of awareness of all APIs leads to security vulnerabilities."
The pattern is clear: Without Gateway and inventory, API Security products stay blind.
PART 2: The T-Mobile Case – Deep Dive
41 Days: Anatomy of an API Breach
The T-Mobile case is an excellent case study of how "theoretical risks" in API security turn into real disaster. Here’s what happened chronologically:
November 25, 2022 – Day Zero: The attacker gained unauthorized access to one of T-Mobile’s APIs. But this was no ordinary API. It was a "Shadow API"—unregistered, undocumented, and unknown to security teams.
November 26 – January 4 (40 days): Silence. Complete silence. The attacker accessed 37 million customers’ data every day, systematically: names, billing addresses, emails, phone numbers, birth dates, T-Mobile account numbers.
Security teams? Unaware. SIEMs did not alarm. API Security products were silent. Because we’re talking about an API they couldn’t see.
January 5, 2023 – Detection: After 41 days, an anomaly was detected. How? Details were not fully disclosed; likely through another security layer or manual check.
January 6, 2023 – Stop: T-Mobile stopped the attack only 1 day after detection.
Notable point: If it could be stopped in 1 day once detected, why was it invisible for 41 days?
Root Cause: Shadow API and API Sprawl
Salt Security’s in-depth analysis made the problem clear:
"An API whose existence is outside the scope of the API management and security program, undocumented. Security teams are unaware of these APIs’ existence, the data they process, and their security posture."
This is not just "we forgot an API." It’s the result of a systematic problem called "API Sprawl":
1. Shadow APIs
- Definition: Unregistered APIs that no one knows about.
- How they appear: Developers create them for testing and forget; legacy, undocumented endpoints; uncontrolled growth in microservices; unintegrated APIs from acquired companies.
- At T-Mobile: This category caused the breach.
2. Zombie APIs
- Definition: APIs thought to be unused but still active.
- Why dangerous: No security updates, no monitoring, known vulnerabilities, thought "disabled" but still running.
3. Ghost APIs
- Definition: APIs that exist in documentation but behave differently in reality (teams integrating often suffer from "Internal Server Error" and similar mismatches).
- Problem: Gap between documentation and real behavior; security tests based on docs miss real vulnerabilities; version mismatches. Widespread use of an API Developer Portal helps with these issues but not with inventory.
Scale of API Sprawl
The T-Mobile case is not isolated. Salt Security and LevelBlue’s 2024 research shows:
- 94% of organizations had a security issue in production APIs in the past year.
- Most businesses have limited visibility into API inventory.
- The average enterprise has 200–500 unregistered APIs.
T-Mobile’s reality is even harsher: This was their 8th data breach.
8 Breaches, $350 Million
T-Mobile’s breach history: 2018 (2M customers), 2019 (prepaid, another breach), 2020 (employee emails, customer data), 2021 August (54 million—largest), 2022 April (SIM swap), 2022 Nov 25 (our case starts), 2023 January (37 million—Shadow API breach).
Cost of the 2021 breach: T-Mobile agreed to pay $350 million in a class action and committed $150 million to cybersecurity.
Question: Despite that payment and investment, how did the same type of breach happen again in 2023?
Why Did It Repeat?
Salt Security’s analysis is clear: Lack of visibility (incomplete API inventory), no gateway (traffic not centralized), governance weakness (no API lifecycle management), Shadow APIs (continuously created, not detected). T-Mobile likely did buy API Security products, strengthened the security team, ran penetration tests, and did compliance work—but did not build a central API Gateway, inventory all APIs, create a mechanism to detect Shadow APIs, or institutionalize API lifecycle management. Result: They bought security products but did not give them "eyes to see." Shadow APIs stayed invisible and the attack continued for 41 days.
3 Lessons from the T-Mobile Case
1. Spending money ≠ Being secure. You can spend $500 million, but if you don’t follow the right order, you repeat the same mistake.
2. Visibility comes first. An attack invisible for 41 days = missing Gateway and inventory. You must see first, then protect.
3. API Sprawl is real. Shadow, Zombie, and Ghost APIs keep appearing. You need systematic processes to curb them, not just tools.
PART 3: 3 Critical Questions Before Buying an API Security Product
T-Mobile paid $350 million and invested $150 million in cybersecurity after the 2021 breach. They probably bought top API Security products. They still had the same type of breach in 2023.
The problem was not the products. The problem was the foundations.
If you’re also debating "should we buy an API Security product?" in your organization, ask yourself these 3 questions first.
QUESTION 1: Do You Have an API Inventory?
"How many APIs do you have?"
Answers I got in the field:
- "We don’t know exactly but around 200" (Turned out there were 847.)
- "Each department has its own APIs; no one knows the total."
- "We don’t even know if we have APIs in our legacy systems."
- "Since we moved to microservices, we’ve lost control."
No Inventory, No Security
An API inventory is not just an Excel list. A complete inventory should include: name & version, endpoints, HTTP methods, hosting; owner (Product Owner), technical lead, business unit, lifecycle state; authentication, authorization, data types (PII, PCI), compliance (GDPR, KVKK, PCI-DSS); tech stack, dependencies, SLA, rate limiting.
What Happens When You Buy API Security Without Inventory?
Real scenario: A financial institution bought a $2M API Security platform promising behavioral analysis, anomaly detection, Shadow API discovery, threat intelligence. After 6 months: the product detected 180 APIs (those through the gateway); manual inventory found 540 APIs; 360 APIs were running where the product couldn’t see; 67% of Shadow APIs were never detected. Result: $2M spent, most APIs still invisible.
"Buying API Security without inventory is like running a police patrol in a city with no map. You don’t know which streets to protect."
QUESTION 2: Do You Have a Central API Gateway?
"Does all your API traffic pass through a single central point?"
This question is even more critical. API Security products work by observing Gateway traffic.
Distributed architecture (highest risk): Each API exposed differently; no central visibility.
Central Gateway architecture: All traffic through one point; full visibility.