T-Mobile website vulnerability allowed you to look up any customer’s information

By | 25th May 2018

T-Mobile

  • A flaw in T-Mobile’s website allowed anyone to look up customers’ details.
  • All you needed was a customer’s phone number, and you could look up their account information and more.
  • T-Mobile has since patched the flaw, though this is not the first time this has happened.


T-Mobile might be celebrating its proposed merger with Sprint, but it won’t be celebrating its website’s security. A flaw in T-Mobile’s website allowed anyone to access millions of customers’ information, reported ZDNet.

Designed as a customer care portal for employees, the website features a hidden API that allows employees to look up account details. Unfortunately, security researcher Ryan Stevenson found that the API was not protected with a password.

As such, all you needed was a customer’s phone number to access all of their information. That information included a customer’s full name, postal address, billing account number, account information, and, in some cases, tax identification numbers.

Accessible information even included references to a customer’s account PIN that was used to verify accounts when contacting customer support.

Stevenson reported the unprotected API back in early April through T-Mobile’s bug bounty program. The carrier subsequently pulled the API offline for a day and awarded Stevenson $1,000 for his discovery.

According to a T-Mobile spokesperson, the carrier found no evidence that customers’ information was compromised through the bug.

Editor's Pick

If all of this sounds familiar, that is because the carrier dealt with a similar issue in October 2017. At the time, it said only a small part of its customers were affected and there was no indication that the exploit was broadly shared.

However, it came to light that hackers reportedly knew about and used the exploit for weeks. T-Mobile then affirmed that it found no evidence of the bug affecting customer accounts.

Regardless of whether the recently disclosed website vulnerability did not lead to compromised accounts, we suggest customers take steps to protect themselves. They can add passwords to their accounts and prevent things like issuing new SIM cards or adding new lines.