Thursday, June 20, 2024

T-Mobile Website Bug Allowed Hackers to Access Millions of customer’s Personal Data

A bug on T-Mobile Website allows hackers to steal customers personal data such as email addresses, T-Mobile customer account numbers and their phone’s IMSI, a unique identifier assigned to every device.

The bug was discovered by security researcher Karan Saini which allowed anyone who knew or guessed a customer’s phone number to acquire information that could be utilized for social engineering attacks or even hijack a target’s numbers, reported first by Motherboard.

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,”Saini Founder of Secure7 told Motherboard.

It is classified as a very critical data breach and it impacted every T-Mobile phone owner. The bug resides with API.

Saini found that he could query for another person’s telephone number and the API would essentially send back a reply containing the other individual’s data.

Also Read North Korean Hackers Stole US-South Korean War Data Plans worth 235 Gigabyte

T-Mobile told Motherboard the issue impacted only for a small part of customers and we investigated and resolved the issue within 24 hours and there is no sign that it was shared more broadly.

Saini said T-Mobile thanked him by offering him a bounty of $1,000 which rewards Whitehat hackers and penetration testers who find bugs and alert company of vulnerabilities.

But Motherboard said After publishing this story, an Anonymous blackhat hacker reached to them and said the bug was found few weeks before and exploited by hackers and it looks like hackers found the bug before Saini.

“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.

They have also uploaded a video on youtube on how to exploit it.


Latest articles

1inch partners with Blockaid to enhance Web3 security through the 1inch Shield

1inch, a leading DeFi aggregator that provides advanced security solutions to users across the...

Hackers Exploit Progressive Web Apps to Steal Passwords

In a concerning development for cybersecurity, hackers are increasingly leveraging Progressive Web Apps (PWAs)...

INE Security: Optimizing Teams for AI and Cybersecurity

2024 is rapidly shaping up to be a defining year in generative AI. While...

Threat Actor Claims Breach of Jollibee Fast-Food Gaint

A threat actor has claimed responsibility for breaching the systems of Jollibee Foods Corporation,...

Threat Actors Claiming Breach of Accenture Employee Data

Threat actors have claimed responsibility for a significant data breach involving Accenture, one of...

Diamorphine Rootkit Exploiting Linux Systems In The Wild

Threat actors exploit Linux systems because they are prevalent in organizations that host servers,...

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles