T-Mobile has suffered another data breach, which has reportedly put millions of customers at risk. Their personal information is now available to anyone who’d want to grab it.
As per reports, the breach has happened due to a security flaw that has happened in the promotool.t-mobile.com website, which is meant to be used only by the company employees. It has been found that the subdomain, which is used as customer support portal, has not been secured with a password or any other kind of authentication. Anyone who knows the name of the subdomain can get access to the company’s internal tool. Thus, a hacker can simply enter any phone number on the subdomain and get all information pertaining to T-Mobile customers. This could include names, addresses, security PIN, tax identification numbers, billing account numbers etc. Such data, when it ends up in the hands of cyber criminals, could cause great trouble for the users. That could include loss of money, identity theft etc.
This mobile security issue, which could have caused personal data of at least 74 million people to be exposed, came to light when security researcher Ryan Stevenson discovered a bug in the T-mobile customer support portal and promptly reported the matter to the company. The company immediately shut down the portal and also awarded the researcher as per its Bug Bounty program, which has been instituted to award and encourage researchers who spot and alert the company regarding mobile security vulnerabilities.
The notable thing is that the T-mobile customer support portal had been available since October 2017 and hence it’s not known if cyber criminals hadn’t spotted the bug before Ryan Stevenson did. There are reports that say that hackers have come up with proof stating they have stolen customers’ data even before the company got the chance to patch the vulnerability. T-Mobile spokesperson has reportedly told media that no customer information has been stolen and that the bug was fixed on time.
Well, this is not the first time that T-Mobile has been targeted. Security researchers had, in October last year, detected a flaw in the company’s website; this flaw, according to them could have helped hackers scraper customer’s personal data, including T-Mobile account number, phone’s IMSI number, email address etc. The flaw was fixed promptly and no one, it seemed, was affected.
Similarly, there was another breach that was detected almost three years ago. This security breach, which happened when hackers targeted Experian, the company that managed T-Mobile customers’ credit card applications and processes, led to sensitive personal data of almost 15 million T-Mobile customers getting breached. The data breach, which reportedly had occurred between September 1, 2013 and September 16, 2015, had exposed customers’ personal information like date of birth, names, Social Security and drivers’ license numbers etc. Credit card details and payment information, however, were not breached.