Skip to main content

Bug on T-Mobile website allowed hackers to access account info

T-Mobile storefront with corporate signage.
Image used with permission by copyright holder
Another day, another privacy issue. Until last week, a T-Mobile website allowed hackers to gain access to personal information like email addresses, T-Mobile account numbers, and more, using only the customer’s phone number. The story was first reported by Motherboard, which said that T-Mobile fixed the issue one day after Motherboard asked the company about it.

Discovered by security researcher Karan Saini, the flaw basically allowed hackers who knew or guessed your phone number to gain valuable information that could then be used in a social engineering attack or even to gain access to other personal information elsewhere online. That put 76 million T-Mobile customers in danger of having their data compromised.

Recommended Videos

Even more concerning is the fact that, according to Saini, it would have been pretty easy for an attacker to write a script that automatically retrieved all account details through this bug. As part of the bug, hackers could also access a user’s IMSI number, which is basically a unique identifying number for customers. Using that, hackers could do things like track a user’s location, intercept texts and calls, and more. On top of that, the number could theoretically be used to conduct fraud through taking advantage of the notoriously insecure SS7 network, which is a backbone communications standard.

Please enable Javascript to view this content

T-Mobile, for its part, disputes some of the claims made by Saini. Instead of affecting all 76 million customers, T-Mobile says that the bug only affects a small portion of customers. The company also said that it fixed the bug within 24 hours of it being discovered and according to Saini, the company gave him $1,000 for being a part of the T-Mobile bug bounty program, which rewards people who find and report bugs and flaws.

The report comes at a time when it’s looking more and more like Sprint and T-Mobile will announce a merger in the next few weeks. It’s unlikely this report will have an affect on talks about the merger.

There does not seem to be any evidence that any malicious hackers knew about or exploited the bug, but that doesn’t mean it didn’t happen. Either way, we reached out to T-Mobile and will update this story if we hear back.

Christian de Looper
Christian de Looper is a long-time freelance writer who has covered every facet of the consumer tech and electric vehicle…
AT&T paid big bucks to a hacker to delete stolen customer data, report claims
AT&T Storefront with logo.

Following AT&T’s admission on Friday that a security breach had impacted tens of millions of its customers, a new report claims that the carrier paid around $370,000 to the hacker to delete all of the stolen data.

The payment was made in cryptocurrency in May, and as part of the deal, the hacker had to provide a video that proved the data had been deleted, Wired reported on Sunday.

Read more
T-Mobile just made its 5G Home Internet plan cheaper; here’s the new price
Cell phone tower shooting off pink beams with a 5G logo next to it.

T-Mobile, the nation's third-largest carrier, recently dropped the price of its home internet plan. The company is also offering a prepaid Mastercard for customers who sign up for the service.

As reported by CNET, the T-Mobile Home Internet plan is decreasing in price from $60 to $50 per month. This new rate includes a $5 monthly discount for enrolling in automatic payments. Customers can save up to $20 monthly when bundling the service with the company's Go5G Next, Go5G Plus, or Magenta Max phone plans.

Read more
T-Mobile is getting rid of its misleading ‘Price Lock’ policy
T-Mobile CEO Mike Sievert standing in front of a banner that reads Internet Freedom.

T-Mobile just got into some trouble with the National Advertising Program (NAD), a part of the BBB National Programs, an independent non-profit organization, for advertising its supposed “Price Lock” policy for 5G internet service.

Basically, the premise behind the “Price Lock” was a promise not to increase prices for customers who were on the Un-Contract Promise: “Starting January 18, 2024, customers activating or switching to an eligible rate plan get our Price Lock guarantee that only you can change what you pay—and we mean it!”

Read more