T-Mobile Website Bug Exposed customer's Personal Data

A bug on T-Mobile Website allows hackers to steal customers personal data such as email addresses, T-Mobile customer account numbers and their phone’s IMSI, a unique identifier assigned to every device.

The bug was discovered by security researcher Karan Saini which allowed anyone who knew or guessed a customer’s phone number to acquire information that could be utilized for social engineering attacks or even hijack a target’s numbers, reported first by Motherboard.

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,”Saini Founder of Secure7 told Motherboard.

It is classified as a very critical data breach and it impacted every T-Mobile phone owner. The bug resides with wsg.t-mobile.com API.

Saini found that he could query for another person’s telephone number and the API would essentially send back a reply containing the other individual’s data.

- Advertisement -

Also Read North Korean Hackers Stole US-South Korean War Data Plans worth 235 Gigabyte

T-Mobile told Motherboard the issue impacted only for a small part of customers and we investigated and resolved the issue within 24 hours and there is no sign that it was shared more broadly.

Saini said T-Mobile thanked him by offering him a bounty of $1,000 which rewards Whitehat hackers and penetration testers who find bugs and alert company of vulnerabilities.

But Motherboard said After publishing this story, an Anonymous blackhat hacker reached to them and said the bug was found few weeks before and exploited by hackers and it looks like hackers found the bug before Saini.

“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.

They have also uploaded a video on youtube on how to exploit it.

T-Mobile Website Bug Allowed Hackers to Access Millions of customer’s Personal Data

Supply Chain Attack Prevention

Follow Us on Google News

Saini found that he could query for another person’s telephone number and the API would essentially send back a reply containing the other individual’s data.

But Motherboard said After publishing this story, an Anonymous blackhat hacker reached to them and said the bug was found few weeks before and exploited by hackers and it looks like hackers found the bug before Saini.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Resilience at Scale

Why Application Security is Non-Negotiable

Discussion points

More like this

Massive Attack: 4,800+ IPs Used to Target Git Configuration Files

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

Hackers Claim TikTok Breach, Leak Over 900,000 Usernames and Passwords

How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities

How to Build and Run a Security Operations Center (SOC Guide) – 2023

Network Penetration Testing Checklist – 2025