Skip to main content

T-Mobile website bug reportedly exposed private customer account details

t-mobile
Image used with permission by copyright holder

Due to a bug in T-Mobile’s website back in April, customers’ account information was left accessible for anyone to see, ZDnet reports. While the security flaw has since been fixed, personal information could have potentially been misused by anyone who knew where to look.

The subdomain — promotool.t-mobile.com — is a customer care portal for employees to access internal tools. But the bug allowed for it to be easily found through search engines and didn’t require a password to access the tools.

The flaw was due to a hidden API — it provided T-Mobile customer data by adding the customer’s cell phone number to the end of the web address. This data included a customer’s billing account number, postal address, and account information, such as the status of their bills, including if service for an account was suspended or a bill is past due. For some, customer account PINs and tax ID numbers were also accessible.

The API was pulled by T-Mobile a day after it was reported by security researcher Ryan Stevenson, who was also awarded a $1,000 bug bounty later. While it’s not clear how long the API was exposed, a spokesperson for T-Mobile told ZDnet that there’s no evidence any customer information was accessed.

This is isn’t the first time an issue like this has happened to T-Mobile. In October, a security flaw allowed hackers to gain access to similar information through a T-Mobile website. Hackers were able to obtain email addresses, account numbers, and more, simply by using the customer’s phone number.

The flaw was discovered by security researcher Karan Saini, and it allowed hackers to gain information that could then be used in a social engineering attack, as well as provided access to other personal information online. T-Mobile claimed the bug only affected a small amount of customers and that it was fixed within 24 hours of being discovered.

News of the most recent flaw comes a little less than a month after the merger with T-Mobile and Sprint was announced — which was also in April. While both carriers agreed on combining companies, we have yet to see whether the U.S. Justice Department will approve it.

Editors' Recommendations

Brenda Stolyar
Former Digital Trends Contributor
Brenda became obsessed with technology after receiving her first Dell computer from her grandpa in the second grade. While…
T-Mobile made a $325 suitcase that you may actually want to buy
A woman standing at the edge of a dock with the bright pink T-Mobile Un-carrier On suitcase.

T-Mobile has been pushing its customers to travel more with its Coverage Beyond initiative, and now the company is offering something completely new for travelers: the Un-carrier On smart suitcase. Smart suitcases have been around for a while, giving owners access to things like USB charging ports while on the go. However, T-Mobile's limited-edition carry-on might just be one of the best ever made.

The Un-carrier On offers a plethora of features perfect for frequent fliers, such as wireless smartphone charging, USB-C charging ports for phones and more, a removable rechargeable 10,000mAh power bank, and a flat top that serves as a portable workstation for laptops. The Un-carrier On also is a pretty solid suitcase — sporting Transportation Security Administration-approved combination locks, smart tags for easy luggage tracking, and 360-degree spinning wheels.

Read more
It’s late 2022, and Verizon and AT&T still can’t beat T-Mobile’s 5G network
The T-Mobile logo on a smartphone.

It’s been 10 months since Verizon and AT&T flipped the switch on their new C-band 5G spectrum, but it appears both carriers still have their work cut out for them if they want to catch up to T-Mobile.

Market analyses and independent tests have agreed for years that T-Mobile is the fastest and most reliable 5G carrier in the U.S. That’s not surprising as it had a massive advantage by holding licenses for the crucial midrange spectrum that provides the best balance between range and speed. While Verizon’s early high-frequency mmWave rollouts allowed it to boast raw speeds that were significantly faster, those were confined to about 1% of its subscriber base.

Read more
T-Mobile adding a free year of Apple TV+ to its most expensive plans
Apple TV icon on Apple TV.

T-Mobile today announced that it's giving subscribers to its most expensive mobile plan a free subscription to Apple TV+, which normally costs $60 a year. Those who are subscribed to the Magenta Max plan — which costs $85 a month for a single line — will get Apple's streaming service for free. If you've got T-Mobile's Magenta plan, which costs $70 a month for one line, you'll get six months of Apple TV+ for free.

The perk takes effect on August 31, 2022, and it's good for the foreseeable future. (A previous version of this story stated it was just for one year, but that's legacy copy on T-Mobile's website for the old perk that's being supplanted.)

Read more