T-Mobile Website Bug Exposed customer's Personal Data

A bug on T-Mobile Website allows hackers to steal customers personal data such as email addresses, T-Mobile customer account numbers and their phone’s IMSI, a unique identifier assigned to every device.

The bug was discovered by security researcher Karan Saini which allowed anyone who knew or guessed a customer’s phone number to acquire information that could be utilized for social engineering attacks or even hijack a target’s numbers, reported first by Motherboard.

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,”Saini Founder of Secure7 told Motherboard.

It is classified as a very critical data breach and it impacted every T-Mobile phone owner. The bug resides with wsg.t-mobile.com API.

Saini found that he could query for another person’s telephone number and the API would essentially send back a reply containing the other individual’s data.

- Advertisement -

Also Read North Korean Hackers Stole US-South Korean War Data Plans worth 235 Gigabyte

T-Mobile told Motherboard the issue impacted only for a small part of customers and we investigated and resolved the issue within 24 hours and there is no sign that it was shared more broadly.

Saini said T-Mobile thanked him by offering him a bounty of $1,000 which rewards Whitehat hackers and penetration testers who find bugs and alert company of vulnerabilities.

But Motherboard said After publishing this story, an Anonymous blackhat hacker reached to them and said the bug was found few weeks before and exploited by hackers and it looks like hackers found the bug before Saini.

“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.

They have also uploaded a video on youtube on how to exploit it.

T-Mobile Website Bug Allowed Hackers to Access Millions of customer’s Personal Data

Supply Chain Attack Prevention

Follow Us on Google News

Saini found that he could query for another person’s telephone number and the API would essentially send back a reply containing the other individual’s data.

But Motherboard said After publishing this story, an Anonymous blackhat hacker reached to them and said the bug was found few weeks before and exploited by hackers and it looks like hackers found the bug before Saini.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Resilience at Scale

Why Application Security is Non-Negotiable

Discussion points

More like this

Hackers Expose 184 Million User Passwords via Open Directory

Inside LockBit: Data Leak Reveals Leading Affiliates and How They Operate

ViciousTrap Hackers Breaches 5,500+ Edge Devices from 50+ Brands, Turns Them into Honeypots

How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities

How to Build and Run a Security Operations Center (SOC Guide) – 2023

Network Penetration Testing Checklist – 2025