T-Mobile Website Bug Gave Hackers Personal Data Access

A bug recently found on T-Mobile’s website gave hackers access to data such as customer email addresses, T-Mobile account numbers, and unique IMSI subscriber numbers, according to a new report. And at this point, it’s not clear how many hackers actually exploited the bug before it was patched.

mandritoiu / Shutterstock.com

The flaw was discovered by security researcher Karan Saini, Motherboard reports. Simply by knowing — or guessing — a phone number, hackers could have taken the data in question straight from T-Mobile’s site. Hypothetically, hackers could have run a script to steal the information from all 76 million T-Mobile customers.

T-Mobile said the issue only impacted relatively few of its customers. In a statement to Motherboard, the company said “we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly.”

Updates Raise Questions

However, an update from Motherboard indicates the problem could be much larger. An anonymous hacker contacted the site and said malicious hackers had already exploited the bug.

In an eerie twist, the Motherboard reporter then wrote, “To prove their claim, the hacker sent me my own account’s data.” There’s even a video tutorial about how to exploit the bug, which was posted to YouTube on Aug. 6, and is still up as of this writing.

T-Mobile responded with another statement, in which the company reiterated that the exploit was shut down, and also said, “As of this time we’ve found no evidence of customer accounts affected as a result of this vulnerability.”

Notably, the statement doesn’t offer any indication of how long the bug was around before being discovered and patched. It’s too early to tell if this will eventually be revealed as a larger data breach — or if T-Mobile will issue further comment on the bug, outside of making statements in response to one article — but there do seem to be a number of unanswered questions here.

Phil Dzikiy

Phil Dzikiy

Phil Dzikiy is the former editor in chief of Security Baron. Before, he has worked as a freelance writer and editor at websites like Wirecutter.com and iLounge.com along with publications like the Lockport Union Sun & Journal and the Greater Niagara Newspapers. With digital and print experience under his belt, Phil has a passion for all things technology including home security, cyber security, and the smart home. His bachelor's degree in Journalism from the University of Maryland College Park initially landed Phil his first job at the Beaver County Times, which has lead to over 15 years of experience as a journalist.

Trending News

Follow Us