T-Mobile website exposed customer data, had no password protection

T-Mobile has recently patched a flaw in how it stores customer information. Reported by ZDNet, the wireless provider was storing its customers’ personal data on a website that lacked password protection and may have been vulnerable for months.

The data was available for anyone to look up who knew the T-Mobile subdomain. Intended for T-Mobile internal use, the previously non-password protected site that could be found via search engine turned up a lot of personal data by just entering a phone number.

The returned data included a customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers’ account information, such as if a bill is past-due or if the customer had their service suspended.

The data also included references to account PINs used by customers as a security question when contacting phone support. Anyone could use that information to hijack accounts.

ZDNet notes that T-Mobile pulled the API last month after it was reported by Ryan Stevenson, a security researcher.

A T-Mobile spokesperson responded by saying that “The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”

Notably, the carrier suffered from a very similar issue last year on a different subdomain as spotted by Motherboard.

T-Mobile said the same then that it had “no evidence” that data was compromised, but that later changed.

Although T-Mobile said at the time it found “no evidence” that customer data was stolen, it later transpired that hackers already found the exposed API and had been exploiting the bug for weeks. The hackers proved this by providing the Motherboard reporter with his own data.

While not directly related to this flaw, ironically, T-Mobile Austria was last month using some laughably silly arguments about security and storing customer data in plain text.

It’s not clear how long the latest unprotected site was up and running, but it looks like at least since last October.

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Michael Potuck Michael Potuck

Michael is an editor for 9to5Mac. Since joining in 2016 he has written more than 3,000 articles including breaking news, reviews, and detailed comparisons and tutorials.