Bug reportedly exposed T-Mobile customers' personal data

A website flaw allowed access to a customer's data by guessing their phone number, Motherboard reports.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
T-Mobile Prism

A flaw in T-Mobile's website allowed access to a customer's data by guessing their phone number, Motherboard reports.

Josh Miller

A vulnerability on T-Mobile 's website allowed access to millions of customers' personal data, including email addresses and account numbers, Motherboard reported Tuesday.

The flaw, which Motherboard said was discovered by security researcher Karan Saini, could have allowed hackers who knew -- or guessed -- a customer's phone number to obtain data valuable in social engineering attacks, or perhaps even hijacking victim's numbers. The bug was repaired Friday after Motherboard asked the wireless carrier about the issue.

Saini told Motherboard that an attacker could leverage the vulnerability by writing a script to siphon data from T-Mobile's 76 million customer accounts to create a searchable database of up-to-date information on its users. He classified it as "a very critical data breach."

T-Mobile disputed those findings in a statement late Tuesday.

"We resolved the vulnerability that was reported to us by the researcher in less than 24 hours, and we have confirmed that we have shut down all known ways to exploit it," the company said in a statement. "As of this time we've found no evidence of customer accounts affected as a result of this vulnerability."

This isn't the first time T-Mobile customers' personal data has been exposed. Hackers stole the personal data of 15 million T-Mobile customers by going after Experian, the company that processes the wireless carrier's credit checks. The credit-reporting bureau said in 2015, over a two-year period, hackers made off with data that included customers' names, birth dates, addresses and Social Security and drivers' license numbers.

Updated at 11 p.m. PT with T-Mobile statement.

Special Reports: All of CNET's most in-depth features in one easy spot.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.