A bug recently found on T-Mobile’s website gave hackers access to data such as customer email addresses, T-Mobile account numbers, and unique IMSI subscriber numbers, according to a new report. And at this point, it’s not clear how many hackers actually exploited the bug before it was patched.
The flaw was discovered by security researcher Karan Saini, Motherboard reports. Simply by knowing — or guessing — a phone number, hackers could have taken the data in question straight from T-Mobile’s site. Hypothetically, hackers could have run a script to steal the information from all 76 million T-Mobile customers.
T-Mobile said the issue only impacted relatively few of its customers. In a statement to Motherboard, the company said “we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly.”
Updates Raise Questions
However, an update from Motherboard indicates the problem could be much larger. An anonymous hacker contacted the site and said malicious hackers had already exploited the bug.
In an eerie twist, the Motherboard reporter then wrote, “To prove their claim, the hacker sent me my own account’s data.” There’s even a video tutorial about how to exploit the bug, which was posted to YouTube on Aug. 6, and is still up as of this writing.
T-Mobile responded with another statement, in which the company reiterated that the exploit was shut down, and also said, “As of this time we’ve found no evidence of customer accounts affected as a result of this vulnerability.”
Notably, the statement doesn’t offer any indication of how long the bug was around before being discovered and patched. It’s too early to tell if this will eventually be revealed as a larger data breach — or if T-Mobile will issue further comment on the bug, outside of making statements in response to one article — but there do seem to be a number of unanswered questions here.