T-Mobile Bug Put Millions of Users at Risk of Data Theft

  • A new T-Mobile bug put millions of users at risk due to a vulnerability in one of the carrier’s subdomains.
  • The “Customer Care Portal” designed by T-Mobile allows anyone with a phone number of a T-Mobile user to get access to customer data.
  • The carrier has already been in the midst of controversy with similar bugs in the past that put users at risk.

T-Mobile is in the midst of data privacy controversy yet again. The phone carrier company has a vulnerability in its customer care portal which allows anyone with phone numbers of the carrier's users to get access to customer data. Simply adding a T-Mobile phone number at the end of a URL allows users to get access to information like account pins, account status information and the customer’s name. Some users can also have their tax identification numbers revealed.

The bug is present in a publicly available subdomain, and the exploit was discovered by security researcher Ryan Stevenson following T-Mobile’s claims of offering bounties to anyone who discovers bugs on the website. The bug was reported in early April, and a reward of $1,000 was awarded to the researcher. The T-Mobile API was pulled as soon as the company was alerted of the exploit.

T-Mobile Customer Care
Image Courtesy of iCustomer Service

T-Mobile customers who believe their data has been compromised can get help from the Privacy and Security Resources page and work with the carrier to find a solution. With the carrier lacking a web security team and multiple security breaches in the recent past, people may slowly begin to lose trust and move on to other carriers. Unlike other carriers, T-Mobile does not have a web security team to deal with potential privacy breaches quickly.

The impact of the exploit is yet to be identified as data may have already been stolen from the website by attackers. The bug has already been patched, and there seems to be no evidence of customer information being stolen according to the carrier. A similar bug was found last fall, and despite the carrier making claims that the bug was patched, attackers were able to use the exploit which puts the carrier’s claims of the user data not being stolen into question.

How to Watch I Have Nothing Online Free from Anywhere
I Have Nothing is a Crave Original docu-comedy series following Carolyn Taylor and her attempt to choreograph a full-length pairs figure skating...
How to Watch Michael McIntyre’s The Wheel Season 4 Online Free from Anywhere
The Bafta-winning Michael McIntyre has returned with another season of The Wheel. Viewers can expect big laughs, huge stars, and heart-pounding thrills...
How to Watch Blankety Blank Season 3 (2023) Online Free from Anywhere
Blankety Blank is back in 2023, with Bradley Walsh guiding a panel of celebrities and contestants over multiple rounds of the quiz...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari