T-Mobile customers, your data has been put at risk by your carrier, once again. In what seems like copypasta at this point, a security researcher recently found a bug in a publicly discoverable subdomain on T-Mobile's website that gave anyone access to customer data using just a phone number. It's almost like T-Mobile wants to award those bug bounties.
This time around, a not-hidden-enough API in promotool.t-mobile.com, apparently a "Customer Care Portal" for employees, allowed any enterprising individual to access T-Mobile customer data by appending the customer's phone number to the end of the URL — no password required. Doing this yielded the customer's full name, billing account number, account status information (e.g., past-due bills or account suspensions), and account PINs (used to initiate customer service interactions), according to ZDNet. In some cases, tax identification numbers were exposed.
Security researcher Ryan Stevenson spotted the bug and reported it to T-Mobile in early April, for which he received a $1,000 bug bounty and some swag. The carrier pulled the API a day after Stevenson alerted them to it.
"The bug was patched as soon as possible and we have no evidence that any customer information was accessed," a T-Mobile spokesperson told ZDNet.
This should sound familiar because a very similar bug was reported last fall. In that case, it appeared that hackers had a few weeks to take advantage of the vulnerability despite T-Mobile saying it made the correction within 24 hours of learning about it. Late last year, the carrier addressed another website bug that exposed records of user logins.
If you're a T-Mobile customer and think your personal info was stolen and used to set up a new account or make changes to your current account, you can work with the carrier to remedy the situation. Maybe Sprint can bring its web security team as part of its merger with T-Mobile?