T-Mobile website bug may have exposed millions of customers' personal data to hackers

A vulnerability on T-Mobile's website may have exposed millions of customers' personal data to hackers, including their email addresses, T-Mobile customer account numbers and their phone's IMSI, a unique identifier assigned to every device.

Security researcher Karan Saini discovered the flaw that allowed anyone who knew or guessed a customer's phone number to obtain data that could be used for social engineering attacks or even hijack a target's numbers, Motherboard first reported.

"T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, founder of startup Secure7, told Motherboard.

"That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim."

In a statement, T-Mobile said that the flaw affected only a small part of their customer base and that they resolved the issue in less than 24 hours.

"We resolved the vulnerability that was reported to us by the researcher in less than 24 hours, and we have confirmed that we have shut down all known ways to exploit it," T-Mobile said in a statement. "As of this time, we've found no evidence of customer accounts affected as a result of this vulnerability."

Saini said the telecom giant thanked him for notifying them about the issue and offered him a $1000 reward as part of its bug bounty program that rewards white hat hackers and researchers who find and report bugs and flaws in their systems.

It is still unclear for how long the vulnerability was live on T-Mobile's website and whether it has been exploited by any malicious hackers.

However, Motherboard said that an anonymous black hat hacker reached out to them, saying that the recently-patched bug has been exploited by other nefarious actors in recent weeks.

"A bunch of SIM-swapping skids had the [vulnerability] and used it for quite a while," the hacker told Motherboard, referring to the illegal practice of fraudsters taking over phone numbers by requesting new SIM cards by posing as the legitimate customer and answering some basic security questions.

The hackers who discovered the bug also reportedly posted a tutorial video on how to exploit the vulnerability on YouTube.

IBTimes UK has reached out to T-Mobile for comment.