Stories

T-Mobile flaw let anyone access user info with only a phone number

A San Francisco T-Mobile Store
A T-Mobile glitch left accounts exposed. Photo: Justin Sullivan / Getty

An exposed online interface for T-Mobile let anyone access user info knowing only a phone number.

The details: Researcher Ryan Stevenson notified T-Mobile of the bug in April, and the wireless carrier took down the problematic service the next day. The bug was first reported on by ZDNet.

  • Until it was taken down, T-Mobile had an active online tool for its computer programmers to connect its employees to the customer database, known as an API.
  • The API delivered information including address, PIN, account number and, on some accounts, tax identification number.
  • Researchers found a separate, similar T-Mobile bug in October.

A representative confirmed that T-Mobile investigated the flaw but found no sign any data had actually been stolen.

T-Mobile