T-Mobile has recently patched a flaw in how it stores customer information. Reported by ZDNet, the wireless provider was storing its customers’ personal data on a website that lacked password protection and may have been vulnerable for months.
Whoosh! Screen Cleaner
The data was available for anyone to look up who knew the T-Mobile subdomain. Intended for T-Mobile internal use, the previously non-password protected site that could be found via search engine turned up a lot of personal data by just entering a phone number.
The returned data included a customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers’ account information, such as if a bill is past-due or if the customer had their service suspended.
The data also included references to account PINs used by customers as a security question when contacting phone support. Anyone could use that information to hijack accounts.
ZDNet notes that T-Mobile pulled the API last month after it was reported by Ryan Stevenson, a security researcher.
A T-Mobile spokesperson responded by saying that “The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”
Notably, the carrier suffered from a very similar issue last year on a different subdomain as spotted by Motherboard.
T-Mobile said the same then that it had “no evidence” that data was compromised, but that later changed.
Although T-Mobile said at the time it found “no evidence” that customer data was stolen, it later transpired that hackers already found the exposed API and had been exploiting the bug for weeks. The hackers proved this by providing the Motherboard reporter with his own data.
While not directly related to this flaw, ironically, T-Mobile Austria was last month using some laughably silly arguments about security and storing customer data in plain text.
It’s not clear how long the latest unprotected site was up and running, but it looks like at least since last October.