Skip to main content
  1. Home
  2. Mobile
  3. Android
  4. News

T-Mobile website bug reportedly exposed private customer account details

Brenda Stolyar
By
t-mobile

Due to a bug in T-Mobile’s website back in April, customers’ account information was left accessible for anyone to see, ZDnet reports. While the security flaw has since been fixed, personal information could have potentially been misused by anyone who knew where to look.

The subdomain — promotool.t-mobile.com — is a customer care portal for employees to access internal tools. But the bug allowed for it to be easily found through search engines and didn’t require a password to access the tools.

The flaw was due to a hidden API — it provided T-Mobile customer data by adding the customer’s cell phone number to the end of the web address. This data included a customer’s billing account number, postal address, and account information, such as the status of their bills, including if service for an account was suspended or a bill is past due. For some, customer account PINs and tax ID numbers were also accessible.

The API was pulled by T-Mobile a day after it was reported by security researcher Ryan Stevenson, who was also awarded a $1,000 bug bounty later. While it’s not clear how long the API was exposed, a spokesperson for T-Mobile told ZDnet that there’s no evidence any customer information was accessed.

This is isn’t the first time an issue like this has happened to T-Mobile. In October, a security flaw allowed hackers to gain access to similar information through a T-Mobile website. Hackers were able to obtain email addresses, account numbers, and more, simply by using the customer’s phone number.

The flaw was discovered by security researcher Karan Saini, and it allowed hackers to gain information that could then be used in a social engineering attack, as well as provided access to other personal information online. T-Mobile claimed the bug only affected a small amount of customers and that it was fixed within 24 hours of being discovered.

News of the most recent flaw comes a little less than a month after the merger with T-Mobile and Sprint was announced — which was also in April. While both carriers agreed on combining companies, we have yet to see whether the U.S. Justice Department will approve it.

Editors' Recommendations

Video-editing app LumaFusion to get a Galaxy Tab S8 launch
A tablet featuring the LumaFusion video editing app.
These 80+ apps could be running adware on your iPhone or Android device
Illustration of an infected iPhone
Can’t stand using Instagram in 2022? This app fixes everything you hate about it
The OG App running on an iPhone.
New malware can steal your credit card details — and it’s spreading fast
An individual surrounded by several computers typing on a laptop.
The best ad-blocking apps for Android in 2022
ad blocker feat image
Best Prime Day Fitbit Deals: What to expect on October 11
Prime Day 2022 fitbit deals graphic.
Best Prime Day iPhone Deals: What to expect on October 11
Prime Day 2022 iPhone deals graphic.
My new Apple Watch Series 8 already feels old — and that’s great
An Apple Watch Series 8 with the screen turned on.
How to quickly share Wi-Fi settings in Android
Share Wi-Fi with QR code
Best refurbished iPhone deals and sales for October 2022
An iPhone 13 in white color option.
Best refurbished iPad deals and sales for October 2022
Woman Using 2021 iPad Pro 11-inch
Best Amazon Fire tablet deals for October 2022
Amazon Fire HD 10 in hand.
The best Apple iPhone 14 screen protectors for 2022
Apple iPhone 14 and iPhone 14 Plus in purple and silver colors.