Skip to main content
  1. Home
  2. Mobile
  3. News

Bug on T-Mobile website allowed hackers to access account info

Christian de Looper
By

T-Mobile storefront with corporate signage.
Another day, another privacy issue. Until last week, a T-Mobile website allowed hackers to gain access to personal information like email addresses, T-Mobile account numbers, and more, using only the customer’s phone number. The story was first reported by Motherboard, which said that T-Mobile fixed the issue one day after Motherboard asked the company about it.

Discovered by security researcher Karan Saini, the flaw basically allowed hackers who knew or guessed your phone number to gain valuable information that could then be used in a social engineering attack or even to gain access to other personal information elsewhere online. That put 76 million T-Mobile customers in danger of having their data compromised.

Even more concerning is the fact that, according to Saini, it would have been pretty easy for an attacker to write a script that automatically retrieved all account details through this bug. As part of the bug, hackers could also access a user’s IMSI number, which is basically a unique identifying number for customers. Using that, hackers could do things like track a user’s location, intercept texts and calls, and more. On top of that, the number could theoretically be used to conduct fraud through taking advantage of the notoriously insecure SS7 network, which is a backbone communications standard.

Related

T-Mobile, for its part, disputes some of the claims made by Saini. Instead of affecting all 76 million customers, T-Mobile says that the bug only affects a small portion of customers. The company also said that it fixed the bug within 24 hours of it being discovered and according to Saini, the company gave him $1,000 for being a part of the T-Mobile bug bounty program, which rewards people who find and report bugs and flaws.

The report comes at a time when it’s looking more and more like Sprint and T-Mobile will announce a merger in the next few weeks. It’s unlikely this report will have an affect on talks about the merger.

There does not seem to be any evidence that any malicious hackers knew about or exploited the bug, but that doesn’t mean it didn’t happen. Either way, we reached out to T-Mobile and will update this story if we hear back.

Editors' Recommendations

Topics
Video-editing app LumaFusion to get a Galaxy Tab S8 launch
A tablet featuring the LumaFusion video editing app.
Spotify Wrapped 2022: what it is and how to view it
Spotify Wrapped 2022.
This free service just hit a huge website security milestone
global internet usage one zettabyte computer server room information cloud web net
How Apple can fix iOS 16’s messy lock screen customization in iOS 17
iOS 16 lock screen on an iPhone 14 Pro
OnePlus’ new Android update policy matches Samsung, shames Google
OnePlus 10T camera module.
The best Samsung Galaxy S22 Ultra screen protectors for 2022
Man holding Phone feature image.
The most innovative tablets of 2022
Samsung galaxy tab S8 ultra on purple background
Sunbird looks like the iMessage for Android app you’ve been waiting for
Sunbird Android app screenshots.
The most innovative smartphones of 2022
Nothing Phone 1
The most innovative smartwatches and wearables of 2022
Apple Watch Ultra, purple background
These 6 things could make the Pixel 7a the perfect Google phone
The back of the Pixel 7 Pro and Pixel 6 Pro.
Best Cyber Monday Tablet Deals: iPad, Amazon Fire, Samsung Galaxy Tab
Best Cyber Monday Tablet Deals
Best Cyber Monday Smartwatch Deals: Apple Watch, Fitbit, Galaxy Watch
Best Cyber Monday Smartwatch Deals