Risk Assessments/Management, Data Security, Breach, Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

T-Mobile API bug may have leaked customer account data

A bug in T-Mobile's wsg.t-mobile.com API may have allowed attackers to access customer data that can be used to carry out phishing attacks or worse.

The flaw only required an attacker to know or guess a victim's phone number to grant access to information including billing account numbers, email addresses, and phone IMSI.

The vulnerability was discovered by Secure7 Founder Karan Saini who told Vice's Motherboard that an attacker could have had access to the information of all 76 million customers.

"That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," Saini said. T-Mobile said the issue only affected a small number of customers.

"The hacker made claims and assumptions before an investigation could be conducted," a T-Mobile spokesperson told SC Media. "We completed an investigation and found that a few hundred customers were affected, and we notified them accordingly."

Saini was offered a $1,000 reward for his discovery as part of the cellular provider's bug bounty program.  An anonymous hacker claims the bug was exploited in the last few weeks and has posted a tutorial of the exploit on YouTube and even reportedly sent the Vice reporter their own account information obtained via the exploit. 

UPDATE: This story was updated to include comments from T-Mobile.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.