This time around, weak API security allowed a threat actor to access account information, the mobile phone giant reported.