With the the incredibly devastation Equifax security breach still fresh in everyone’s mind, you’d imagine that the security teams of any major company are paying extra attention to their customers’ data these days. For T-Mobile, the dire example set by the credit agency apparently wasn’t enough, as a huge bug in the company’s website allowed hackers to obtain a wealth of personal data on any customer as long as they had access to their phone number.
The gaping hole, which was first discovered by security researcher Karan Saini and reported by Motherboard, allowed access to names, email addresses, account numbers, and the IMSI identifier of the phones on the subscribers’ accounts, as well as anyone who shared the account, making families especially vulnerable.
“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini told Motherboard.
The only silver lining here is that, after Saini contacted the company to alert them of the huge oversight, T-Mobile says it was able to patch the hole before it could be fully exploited. However, T-Mobile also contradicted Saini’s initial findings, noting that only a small portion of its subscribers, rather than the entirety of T-Mobile’s customer base.
Additionally, hackers have now come forward to say that they knew about the exploit and had been using it for some time, even going so far as to send the author of the Motherboard piece their own account data that was, according to T-Mobile, not leaked.
If hackers did manage to access and archive the customer information before T-Mobile patched the hole, that could be devastating news for the company. T-Mobile hasn’t provided any further comment, but we’ll be very interested to hear what they have to say.