A pair of security researchers discovered a bug on the MetroPCS payment website that left the personal information of more than 10 million subscribers exposed.
An attacker could access a user's name, address, phone model and serial number, and monthly rate, by using a Firefox plugin to send an HTTP request to the MetroPCS website using the customer's number, according to a report in Vice's Motherboard.
Eric Taylor and Blake Welsh made the discovery. Taylor told Motherboard that an attacker could use the vulnerable data on the MetroPCS site to carry out social engineering attacks, such as calling the provider's customer service to gather more information on a victim or using the data to gain unauthorized access into other accounts.
It may have also been possible for an attacker to “clone” a victim's phone to intercept their calls or even create a script that could be used to obtain the information of every MetroPCS subscriber, the report said.
The researchers reported the vulnerability to Motherboard in mid October although the story was held until the bug was patched in order to protect customer data.
There is reportedly no evidence that any customer information was compromised.
SCMagazine.com attempted to contact T-Mobile, MetroPCS's parent company, but they have yet to comment.
In October, a breach at T-Mobile vendor Experian exposed the personally identifiable information of about 15 million customers.