A bug in T-Mobile's wsg.t-mobile.com API may have allowed attackers to access customer data that can be used to carry out phishing attacks or worse.
The flaw only required an attacker to know or guess a victim's phone number to grant access to information including billing account numbers, email addresses, and phone IMSI.
The vulnerability was discovered by Secure7 Founder Karan Saini who told Vice's Motherboard that an attacker could have had access to the information of all 76 million customers.
"That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," Saini said. T-Mobile said the issue only affected a small number of customers.
"The hacker made claims and assumptions before an investigation could be conducted," a T-Mobile spokesperson told SC Media. "We completed an investigation and found that a few hundred customers were affected, and we notified them accordingly."
Saini was offered a $1,000 reward for his discovery as part of the cellular provider's bug bounty program. An anonymous hacker claims the bug was exploited in the last few weeks and has posted a tutorial of the exploit on YouTube and even reportedly sent the Vice reporter their own account information obtained via the exploit.
UPDATE: This story was updated to include comments from T-Mobile.