Skip to main content
  1. Home
  2. Mobile
  3. News

T-Mobile website bug reportedly exposed private customer account details

By
t-mobile
Image used with permission by copyright holder

Due to a bug in T-Mobile’s website back in April, customers’ account information was left accessible for anyone to see, ZDnet reports. While the security flaw has since been fixed, personal information could have potentially been misused by anyone who knew where to look.

The subdomain — promotool.t-mobile.com — is a customer care portal for employees to access internal tools. But the bug allowed for it to be easily found through search engines and didn’t require a password to access the tools.

Recommended Videos

The flaw was due to a hidden API — it provided T-Mobile customer data by adding the customer’s cell phone number to the end of the web address. This data included a customer’s billing account number, postal address, and account information, such as the status of their bills, including if service for an account was suspended or a bill is past due. For some, customer account PINs and tax ID numbers were also accessible.

The API was pulled by T-Mobile a day after it was reported by security researcher Ryan Stevenson, who was also awarded a $1,000 bug bounty later. While it’s not clear how long the API was exposed, a spokesperson for T-Mobile told ZDnet that there’s no evidence any customer information was accessed.

This is isn’t the first time an issue like this has happened to T-Mobile. In October, a security flaw allowed hackers to gain access to similar information through a T-Mobile website. Hackers were able to obtain email addresses, account numbers, and more, simply by using the customer’s phone number.

The flaw was discovered by security researcher Karan Saini, and it allowed hackers to gain information that could then be used in a social engineering attack, as well as provided access to other personal information online. T-Mobile claimed the bug only affected a small amount of customers and that it was fixed within 24 hours of being discovered.

News of the most recent flaw comes a little less than a month after the merger with T-Mobile and Sprint was announced — which was also in April. While both carriers agreed on combining companies, we have yet to see whether the U.S. Justice Department will approve it.

Editors’ Recommendations

Topics
Brenda Stolyar
Brenda Stolyar
Former Digital Trends Contributor
Brenda became obsessed with technology after receiving her first Dell computer from her grandpa in the second grade. While…
AT&T customers past and present impacted by huge data leak
An at&t office building.

AT&T has changed the account passcodes of millions of its customers after it confirmed a massive data breach that saw personal data leaked on the dark web.

AT&T said in a message on its website on Saturday that it was reaching out to 7.6 million current customers and 65.4 million former customers whose personal information had been compromised in a data leak involving “sensitive personal information” such as names, phone numbers, addresses, birth dates, AT&T account numbers and passcodes, and Social Security numbers.

Read more
Have T-Mobile? Your 5G service is about to get much faster
U.S. map illustrating T-Mobile's 5G Ultra Capacity network expansion.

T-Mobile’s 5G network already offers unmatched 5G speeds and coverage throughout the U.S., with 98% of the population covered by some flavor of T-Mobile’s 5G and more than 90% benefiting from its higher-speed 5G Ultra Capacity (5G UC) network.

That translates to the “Uncarrier” taking first place in 5G performance in 46 U.S. states. However, T-Mobile isn’t content to sit at 90% coverage. It’s been working steadily to increase the footprint of its 5G UC network to reach even further, and is bringing those top speeds to areas previously served only by its lower-frequency 5G Extended Range network.
A ‘Massive 5G Boost’

Read more
T-Mobile just set another 5G speed record
Cell phone tower shooting off pink beams with a 5G logo next to it.

T-Mobile’s rivals may be nipping at its heels in the 5G race, but the Uncarrier is determined to stay ahead of the game. It not only boasts the fastest and most expansive 5G network in the U.S., but it’s actively working on technologies that will help it reach even greater peak speeds.

Two years ago, T-Mobile used a relatively new technique known as 5G Carrier Aggregation (5G CA) to achieve the kind of 3Gbps download speeds on midband frequencies that had previously been the exclusive domain of extremely high (and extremely short-range) mmWave technologies. Now, it’s chalked up another 5G first by taking advantage of the latest developments to shatter the traditional cap on upload speeds over sub-6GHz frequencies.
T-Mobile's newest 5G record

Read more