An exposed online interface for T-Mobile let anyone access user info knowing only a phone number.

The details: Researcher Ryan Stevenson notified T-Mobile of the bug in April, and the wireless carrier took down the problematic service the next day. The bug was first reported on by ZDNet.

• Until it was taken down, T-Mobile had an active online tool for its computer programmers to connect its employees to the customer database, known as an API.
• The API delivered information including address, PIN, account number and, on some accounts, tax identification number.
• Researchers found a separate, similar T-Mobile bug in October.

A representative confirmed that T-Mobile investigated the flaw but found no sign any data had actually been stolen.