T-Mobile data breach might affect millions of customers

The bug in T-Mobile’s website exposed millions of customers personal details

T-Mobile faces another data breach that puts millions of customers' personal information available to anyone who knows where to look at. The security flaw was detected in promotool.t-mobile.com website that is meant to be used by employees only. However, anyone who knows the subdomain’s name can get any information they need to form T-Mobile’s database.

It was discovered that this subdomain, used as customer support portal, was not secured by a password or other authentication protection. So, anyone can get access to the internal company’s tool. As a result, attackers can get access to T-Mobile’s customers' information by entering any phone number, such as:^[1]

• full names;
• address;
• billing account number;
• security PIN;
• tax identification numbers.

There’s no doubt that if such information ends up in the hands of cyber criminals, people can suffer a lot. The possible damage might involve money loss, robbery or even identity theft. According to the latest information, 74 million^[2] accounts might be exposed.

The bug was reported and fixed immediately

Security researcher Ryan Stevenson discovered a bug in T-Mobile’s customer support portal and reported to the company. The site was not only shut down the next day, but the researcher was awarded $1,000 in Bug Bounty program:

“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here” [Source: T-Mobile]

However, the site was available since October 2017. Therefore, it’s unknown if cyber criminals haven’t discovered the flaw before Stevenson. Some sources say that hackers have proof that they managed to steal customers' data before it was patched.

Meanwhile, T-Mobile’s spokesperson told media outlets that any customer information was leaked and the buggy API^[3] was fixed. However, the similar security flaw was detected on other company’s subdomain last year. Though, hackers who were aware of this issue may have checked other company-s domains as well.

T-Mobile had issues with customer data protection before

This T-Mobile data breach is not the first one. In October 2017, security researchers Karan Saini discovered a flaw in company’s website that let attackers scrape personal customer information, including email address, T-Mobile account number, phone’s IMSI number, and other sensitive data.^[4]

Attackers only needed to access the buggy website and enter any phone number in order to get personal customer information. Fortunately, the flaw was immediately fixed, and anyone did not seem to suffer from this breach.

However, three years ago hackers managed to steal information of 15 million T-Mobile customers. Though, it was not a direct company’s fault. Hackers launched a successful attack on Experian – a company that managed T-Mobile’s customers’ credit card applications and processes.

It was reported that data breach occurred from September 1, 2013, to September 16, 2015.^[5] During this long period of time, 15 million of T-Mobile customers’ full names, birthdays, Social Security and drivers’ license numbers were leaked. However, credit card or payment information remained safe.