To those who have your phone number, there’s a chance that your account data was exposed. Lately, we’ve been going through the devastation of Equifax security breach, and now T-Mobile is coming into the mix. A huge bug in the company’s website allowed hackers to obtain a lot of personal dat on any customer as long as they had access to their phone number.
First discovered by security researcher Karan Saini and reported by Motherboard, this bug allowed access to names, email addresses, account numbers, and the IMSI identifier of the phones on the subscribers’ accounts, including others on the shared account. This means that those on your account are also vulnerable.
“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini told Motherboard.
After Saini contacted the company to alert them of the huge bug, T-Mobile said it was able to patch the hole before it could be fully exploited. T-Mobile, however, did also contradict Saini’s initial findings, stating that only a small portion of its subscribers were affected rather than the entire T-Mobile customer case.
If it wasn’t enough, hackers have also now come forward that they knew about the exploit and had been suing it for some time now. They went so far as to send the author of the Motherboard piece their own account data that was, according to T-Mobile, not leaked.
Hackers managed to gain access to the massive bug and exploited it to gain T-Mobile’s customer data before a patch was applied. This is definitely some devastating news for the uncarrier and would have been far worse if the patch was not applied. The carrier hasn’t given any additional comment. We have reached out for additional comment and will update once we hear back.