Mobile Website Glitch Allowed Hackers To Access Private Customer Data For Months

Joanna Estrada
October 12, 2017

The bug, which affected T-Mobile's API, could have exposed users' names, email addresses, account numbers, and the IMSI network codes from their phones, Motherboard reports.

Security researcher Karan Saini says that a flaw with the T-Mobile website would allow an attacker to access account data, including a customer's name and IMSI number, by knowing or guessing that customer's phone number. All those hackers needed to access that information was your phone number, which isn't exactly a hard thing to find (or even stumbled upon). (Tech support folks are supposed to require security question responses, invoices and other information, but often hand over SIMs to smooth-talking hackers without it.) We've reached out to T-Mobile and the FCC to find out if there was an uptick in such attacks over the last few months.

Additionally, hackers have now come forward to say that they knew about the exploit and had been using it for some time, even going so far as to send the author of the Motherboard piece their own account data that was, according to T-Mobile, not leaked.

The scale of this breach seems to be limitless as well.

T-Mobile said that there is no indication given about sharing the flaw broadly, but a little portion dedicated for the customer base had been affected.

While it was first publicly reported to Motherboard by security firm Secure7, an anonymous blackhat hacker later told the said publication that the bug had been exploited since at least early August.

"An attacker could have ran a script to scrape the data ... from all 76 million [T-Mobile] customers to create a searchable database with accurate and up-to-date information of all users", Saini told Motherboard in an online chat. "We were alerted to an issue that we investigated and fully resolved in less than 24 hours", said T-Mobile in a statement to Motherboard. A "bunch of sim swapping skids had the [vulnerability] and used it for quite a while", the hackers claim.

Other reports by Click Lancashire

Discuss This Article