A security researcher has revealed that a recently patched hole in T-Mobile's security made it possible for hackers to vacuum up all your personal account information, and all they needed was your phone number. And you probably give that out all the time. T-Mobile says the vulnerability has been corrected, but there's some question as to how severe the data breach might have been.
According to Motherboard, the flaw was reported to T-Mobile by security researcher Karan Saini. T-Mobile's wsg.t-mobile.com API was misconfigured and could be queried directly with a phone number. The API would then reply with all the account data associated with that number. That included addresses, account numbers, email addresses, other numbers on the same account, and device IMSI numbers. That's basically everything you need to take over someone's account, spam them, or spear phish them.
T-Mobile says it corrected the vulnerability within 24 hours of being notified by Saini, but that's not the end of the story. After posting the story, Motherboard was contacted by a blackhat hacker claiming the security hole was known to people in the hacking community for at least several weeks before it was fixed. These individuals used it to hijack phone numbers by requesting new SIM cards using the account information obtained via the hack. As proof, the hacker provided the reporter with his own account information from T-Mobile. That could indicate there's a database of Tmo users out there, but T-Mobile says it has no evidence of that. Of course, it didn't know about the bug in the first place either.