At the start of October, it was announced that Experian had suffered a data breach that exposed the personal data of 15 million people who had applied for T-Mobile service. Now it’s been revealed that T-Mobile prepaid brand MetroPCS was recently involved in a security issue of its own.
Two security researchers recently discovered a bug with the payment page on MetroPCS’s website that could expose a customer’s home address, phone model and serial number, and more, all by knowing (or guessing) your phone number. Eric Taylor and Blake Welsh found the bug in mid-October and shared it with Motherboard, who then confirmed the issue by running a Firefox plugin to send an HTTP request to MetroPCS’s website using a known phone number.
The good news is that the bug was shared with T-Mobile on October 22 and that no information about the issue was made public until it was patched up. T-Mobile hasn’t had much of anything to say about the security flaw, only telling Motherboard that it appreciates “responsible disclosure” about the problem.
Because MetroPCS is a prepaid operator, some of the more sensitive information that was a part of the Experian-T-Mobile breach — like Social Security numbers — wasn’t leaked by this Metro bug. That said, MetroPCS’s website bug is still a big deal because malicious parties could’ve tried to use social engineering to gather more info about Metro customers from other companies or services. Plus, it’s kind of crazy to think that a large operator like MetroPCS would have a website flaw that several hackers say would’ve make it “very easy” to access a customer’s personal information.