May 24, 2018

T-Mobile flaw let anyone access user info with only a phone number

A T-Mobile glitch left accounts exposed. Photo: Justin Sullivan / Getty

An exposed online interface for T-Mobile let anyone access user info knowing only a phone number.

The details: Researcher Ryan Stevenson notified T-Mobile of the bug in April, and the wireless carrier took down the problematic service the next day. The bug was first reported on by ZDNet.

  • Until it was taken down, T-Mobile had an active online tool for its computer programmers to connect its employees to the customer database, known as an API.
  • The API delivered information including address, PIN, account number and, on some accounts, tax identification number.
  • Researchers found a separate, similar T-Mobile bug in October.

A representative confirmed that T-Mobile investigated the flaw but found no sign any data had actually been stolen.

Go deeper

Coronavirus spreads to more countries, and U.S. ups its case count

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens.

The novel coronavirus continues to spread to more nations, and the U.S. reports a doubling of its confirmed cases to 34 — while noting those are mostly due to repatriated citizens, emphasizing there's no "community spread" yet in the U.S. Meanwhile, Italy reported its first virus-related death on Friday.

The big picture: COVID-19 has now killed at least 2,251 people and infected almost 77,000 others, mostly in mainland China. New countries to announce infections recently include Israel, Lebanon and Iran.

Go deeperArrowUpdated 1 hour ago - Health

Wells Fargo agrees to pay $3 billion to settle consumer abuse charges

Clients use an ATM at a Wells Fargo Bank in Los Angeles, Calif. Photo: Ronen Tivony/SOPA Images/LightRocket via Getty Images

Wells Fargo agreed to a pay a combined $3 billion to the Justice Department and the Securities and Exchange Commission on Friday for opening millions of fake customer accounts between 2002 and 2016, the SEC said in a press release.

The big picture: The fine "is among the largest corporate penalties reached during the Trump administration," the Washington Post reports.