T-Mobile Bug Put Millions of Users at Risk of Data Theft

  • A new T-Mobile bug put millions of users at risk due to a vulnerability in one of the carrier’s subdomains.
  • The “Customer Care Portal” designed by T-Mobile allows anyone with a phone number of a T-Mobile user to get access to customer data.
  • The carrier has already been in the midst of controversy with similar bugs in the past that put users at risk.

T-Mobile is in the midst of data privacy controversy yet again. The phone carrier company has a vulnerability in its customer care portal which allows anyone with phone numbers of the carrier's users to get access to customer data. Simply adding a T-Mobile phone number at the end of a URL allows users to get access to information like account pins, account status information and the customer’s name. Some users can also have their tax identification numbers revealed.

The bug is present in a publicly available subdomain, and the exploit was discovered by security researcher Ryan Stevenson following T-Mobile’s claims of offering bounties to anyone who discovers bugs on the website. The bug was reported in early April, and a reward of $1,000 was awarded to the researcher. The T-Mobile API was pulled as soon as the company was alerted of the exploit.

T-Mobile Customer Care
Image Courtesy of iCustomer Service

T-Mobile customers who believe their data has been compromised can get help from the Privacy and Security Resources page and work with the carrier to find a solution. With the carrier lacking a web security team and multiple security breaches in the recent past, people may slowly begin to lose trust and move on to other carriers. Unlike other carriers, T-Mobile does not have a web security team to deal with potential privacy breaches quickly.

The impact of the exploit is yet to be identified as data may have already been stolen from the website by attackers. The bug has already been patched, and there seems to be no evidence of customer information being stolen according to the carrier. A similar bug was found last fall, and despite the carrier making claims that the bug was patched, attackers were able to use the exploit which puts the carrier’s claims of the user data not being stolen into question.

How to Watch Plan B Online: Stream Patrick J. Adam’s Time Travel Series from Anywhere
Who could forget Patrick J. Adam's masterful portrayal of the dropout college student who turned into a lawyer Mike Ross in the...
How to Watch The Voice Season 23 Online from Anywhere
Fans of the musical competition series that has won four Emmy Awards will be happy to know that a new season is...
How to Watch Wild Isles Online for Free: Stream the 2023 David Attenborough Series from Anywhere
Wild Isles is a British series focused on nature, and we have the premiere date, plot, episode release schedule, and other details....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari