T-Mobile website bug allowed hackers to get customer account data, but it’s been fixed

tmobiletimessquare

A new report has revealed that the T-Mobile website recently suffered from a privacy bug.

Security researcher Karan Saini says that a flaw with the T-Mobile website would allow an attacker to access account data, including a customer’s name and IMSI number, by knowing or guessing that customer’s phone number. Here’s what Secure7’s Saini told Motherboard about the bug:

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users.”

Saini warned T-Mobile about this bug, and T-Mo patched it last Friday. T-Mobile says that there’s no indication that the flaw was shared broadly and that only a small portion of the customer base was affected. In return for reporting the bug, T-Mobile gave Saini $1,000 and encouraged others to report any bugs to secure@t-mobile.com, security@t-mobile.com, and bug-bounty@t-mobile.com.

Because this bug could have given access to the personal data of customers, it’s a pretty serious issue. The good news is that it sounds like T-Mobile fixed it up fairly quickly and that it doesn’t appear that anyone exploited the vulnerability before it was patched.

Source: Motherboard

Tags: ,

  • Ky

    $1000 is all? add a few zeros to that. He helped T-mobile avoided a huge PR disaster.

    • brybry

      They didn’t avoid anything from the article whatever they patched got exploited again.

  • Nobody Special

    I’m sure whoever hacked this info before it was patched will be selling it to the highest bidder…Hmmm, T-Mobile hasn’t notified it’s customers of this, I guess I’ll be notified that my information was stolen when my identity gets stolen (thanks T-Mobile).

    Lets see how long it will take to be notified by T-Mobile… Maybe That should of been a message in the T-Mobile app. It should be a law for these companies to inform its customers of these compromises, even If this information had been compromised for 5 minutes, we should be the first to know.

    • steveb944

      Don’t expect that under this office.

  • VN911

    T-mobile is such a liar. My T-mobile account got hacked last Monday October 2nd. The hacker got a hold of my T-mobile account, my phone number and my credit card number that I use for auto pay. The hacker ported my phone number to Sprint on that day, and attempted to charge $3000 on Best Buy using my credit card. This is unbelievable.

  • Adampk17

    Queue the fraud/telemarketer calls in 3, 2, 1….

  • The Swami

    T-Mobile patching it up fairly quickly from when they found out is good news. Bad news – other websites/reporters are reporting this was known and exploited by the hacking community for at least 3 weeks prior, which means everyone’s data (or a lot of it) is probably vulnerable. expect to see more press from TMO in the coming day(s) regarding the severity of the breach being “more than we originally thought” is my guess.

  • TaskForce141

    Worst case: the criminals get your answers to the password reset questions, or change them.
    Check on them, make sure they’re still the same. Better yet, change them to something that’s not guessable via social media.
    Example: “Where did you take your wife on your first date together?”
    Old answer: Movies. My new answer: Nazi Germany.
    I would change the T-Mo account password, too.

  • TaskForce141

    Worst case: the criminals get your answers to the paszsword reset questions, or change them.
    Check on them, make sure they’re still the same. Better yet, change them to something that’s not guessable via social media.
    Example: “Where did you meet your wife?”
    Old answer: College. My new answer: state prison

    I would change the T-Mo account paszsword, too.