A T-Mobile bug was making it extremely easy for anyone to access your data
A supposedly private subdomain gave anyone the ability to look up customer data.
There’s been another data leak, this time at T-Mobile.
In April, the No. 3 carrier in the U.S. temporarily exposed customer data on one of its websites. In doing so, anyone could access the personal account information for any customer just by typing in their cell phone number. The bug, since patched, exposed the data on a T-Mobile subdomain that’s supposed to be only accessible by staff.
Instead, anyone could use the portal if they knew the website’s address, according to ZDNet.
Before it was fixed, the subdomain, promotool.t-mobile.com, contained a hidden API that would return T-Mobile customer data just by adding a cell phone name at the end of the web address. The recovered data included a customer’s name, address, billing account number, and in some cases, information about tax identification numbers.
The page would also show the user whether the customer was past-due on their bill or if the customer had their service suspended. You could also bring up user PINs that are used when customers contact T-Mobile phone support.
The bug was first spotted by security researcher Ryan Stevenson in April and brought to T-Mobile’s attention soon after. A T-Mobile spokesperson explains, “the bug was patched as soon as possible and we have no evidence that any customer information was accessed.”
T-Mobile currently has 74 million users. Just weeks ago, T-Mobile and Sprint announced plans to merge. If approved by U.S. regulators, the combined company would have 127 million customers, which would put it behind Verizon Wireless, but ahead of AT&T, regarding customers. The $26 billion merger agreement is expected to close in 2019.
It’s been a busy month for data breaches, malware, and the like.
Earlier this week, we learned the TeenSafe app was anything but safe with customer information. Previously, Grayshift, a company that unlocks iPhones for police, was hit by a breach. And then you have the Russians, who are being accused of spreading malware to hundreds of thousands of routers around the world.
If you’re a T-Mobile customer, we’d like to hear from you. Did you hear from the company about this issue? Let us know in the comments below.