Skip to main content

T-Mobile Site Leaked Data On Millions Of Customers

By June 9, 2018June 8th, 2022Cybersecurity

ZDNet Researcher Ryan Stevenson recently found a big problem on T-Mobile’s website regarding an unprotected API.  As a result of the flaw, untold millions of T-Mobile’s customers’ account information was left exposed and completely unprotected.  Literally anyone who stumbled across the site and tried to abuse it could access a wide range of customer information with no password required.

This includes, but is not limited to:

  • Customer name
  • Phone number
  • Mailing Address
  • Account Number
  • The status of the account (current, past due, suspended, etc.)

In an unknown number of cases, tax IDs and PINs were also exposed.

T-Mobile has a bug bounty program and pays a bounty to anyone who discovers a flaw that impacts the company.  Stevenson received a $1,000 reward for discovering the issue, and subsequent research revealed that the flaw had been present on the company’s website since October, 2017 or prior.

T-Mobile’s handling of the incident has been less than stellar so far.  Although they have acknowledged the existence of the issue and have already moved to correct it, the company has issued no information relating to how many customer records were exposed.

There is no evidence that any of the exposed records were inappropriately accessed. Typically, when an incident like this occurs, the company in question provides details relating to the scope and scale of the incident, informs all potentially impacted customers and usually provides a year of free credit and identity monitoring.  So far, none of that has occurred.

While it’s certainly possible that the company may take these steps in the future, we were both surprised and disappointed that they had not already done so, especially given the fact that this was essentially a self-inflicted wound.  Here’s hoping that in the days ahead, they do something to earn back the lost trust.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.