A bug on T-Mobile‘s website may have allowed hackers to view your personal information. The bug, which has since been patched, allowed hackers to view your email address, account number, and even your phone’s IMSI number (a unique number that identifies subscribers). According to the researcher that found the bug, there was no way to prevent someone writing a script and finding out the information for all 76 million potential victims.
The research, Karan Saini of security startup Secure7 told Motherboard,
T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users
This obviously has major security implications. Saini even went as far as to classify it as a “very critical data breach” where “every T-Mobile cell phone owner (is) a victim”. Using this information, it could be easier than ever to socially engineer access to your account.
Earlier this year, several well-known YouTubers were hacked via social engineering. Hackers called T-Mobile’s customer care with just enough information to get reps to issue a new SIM card number for the target’s phone number. The hacker would then insert that SIM card into their own phone and hijack the YouTuber’s phone number. All of their calls and text messages would then go to the hacker. This has severe security implications since so many services use text messages for two-factor authentication.
This specific bug was within a T-Mobile API. When querying a phone number, Saini says that the system would return a response will all of the account information associated with it. To its credit, T-Mobile says it patched the bug within 24 hours of being notified. It also disputes Saini’s claim that all T-Mobile customers were vulnerable. T-Mobile says that only a small part of its customers were affected and there’s no indication that the exploit was shared more broadly.
A blackhat hacker is throwing water on that claim. After Motherboard first published its story, the hacker contacted the author to inform them that the exploit had been widely used in the weeks running up to it being patched. The hacker even passed along the author’s account details to them to prove its claim. When contacted about the hacker’s claim, T-Mobile responded with the following statement:
We resolved the vulnerability that was reported to us by the researcher in less than 24 hours and we have confirmed that we have shut down all known ways to exploit it. As of this time we’ve found no evidence of customer accounts affected as a result of this vulnerability.
Regardless of how many customers were affected or how much information was obtained, we suggest T-Mobile customers take steps to protect themselves. The account holder can add a password to the account and prevent things like issuing new SIM card numbers or adding lines to an account. In light of recent events, that doesn’t seem like the worst idea.