T-Mobile website bug let hackers steal personal data with only a phone number

T-MobileA bug on a T-Mobile website allowed hackers to access personal data – including email addresses, T-Mobile account numbers, and people’s phone’s IMSI – with just a mobile phone number up until last week.

As reported by Motherboard, the flaw was discovered by security researcher, and founder of startup Secure7, Karan Saini, who told the publication: “T-Mobile has 76m customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76m of these customers to create a searchable database with accurate and up-to-date information of all users. That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim.”

The bug was found within the wsg.t-mobile.com API. Here, hackers would’ve been able to query someone’s phone number and the API would send back a response with that person’s data.

“We were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly,” said T-Mobile in a statement.

However, this claim has been disputed by anonymous hacker, telling Motherboard that “a bunch of SIM swapping skids had the [vulnerability] and used it for quite a while”.

Join us at the 2017 Effective Mobile Marketing Awards Ceremony, taking place in London on Thursday 16 November, to mix with the industrys best and brightest, and raise a glass to the years best campaigns and solutions. To find out more, and to book your place, click here.