A bug on T-Mobile’s website, fixed just last week, was allowing hackers to access personal data using nothing more than a phone number, according to a report from Motherboard. The bug was discovered by security researcher Karan Saini, and T-Mobile fixed the bug a day after they were notified.
“An attacker could have run a script to scrape the data (email, name, billing account number, [your phone’s] IMSI number, other numbers under the same account) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini told Motherboard. “That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim.”
A blackhat hacker contacted Motherboard anonymously to say that the bug had indeed been found and exploited by malicious hackers in recent weeks.
“A bunch of SIM-swapping skids had the [vulnerability] and used it for quite a while,” the hacker told the site, even offering up the story author’s own personal account data.
While Saini’s assessment of the situation is pretty grim, T-Mobile says that it doesn’t believe this flaw affected a large number of users.
“We were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly,” the company said in a statement. “We appreciate responsible reporting of bugs through our Bug Bounty program to protect our customers and encourage to researchers to contact us at email@example.com, firstname.lastname@example.org, email@example.com,” the company said.
If the hacker is right, though, the exposed information goes pretty deep. The IMSI information could be used to hijack your phone number, track your location, or intercept communication.
The bug is pretty scary, but T-Mobile deserves some credit for fixing it pretty quickly. We hope the company is investigating its logs and records thoroughly. With nearly 80-million customers affected and the amount of personal information potentially exposed, it could be a repeat of the Equifax fiasco. Keep an eye on your accounts in the coming weeks.