There has been a glitch reported that may affect roughly 74 million T-Mobile customers and their privacy. The glitch allowed for anyone to look up a customer’s private details including their names, addresses, billing account numbers, and even some tax information. Additional information could have also been accessed including whether bills are past due, whether the customer has ever had their service suspended, and references for account pins. With all that information, hackers might access accounts by calling T-Mobile customer service to do as they please.
A security researcher named Ryan Stevenson exposed the bug and it was found that its cause was an unprotected PI on the subdomain, promotool.t-mobile.com. Stevenson was rewarded $1000 for reporting the bug through the bug bounty program. The program is in place so that should a researcher find a malfunction and report it, could get fairly compensated as well as treated. It’s something that has surely saved T-Mobile. Ryan Stevenson sent several screenshots of customer’s information to ZDNet so that the problem could be mended.
The time is now to hold cellular providers to a higher standard. This offset could have potentially not only given hackers access to information that could be detrimental to running businesses smoothly but also could set people back by getting digital identity theft. Money could be taken out of customer’s accounts and it wouldn’t be detected for a while because of the loops that hackers could take by calling and pretending they are the customer.
The flaw is now supposedly fixed and things are back to normal with all accounts within T-Mobile’s customer base. However, this problem is similar to an earlier bug that was almost identical and was found in 2017 on a different T-Mobile subdomain. One thing that is not known is how long the latest bug was in effect, yet there is information that suggests that the site has been active since at least October of 2017.
Data protection is an increasingly important aspect of all digital commerce, and breaches like these are a big part of what NationalNet helps our customers to avoid. Talk to the NationalNet security team any time if you have questions, see something suspicious on your sites, or want to discuss the steps that can be taken to further lockdown the data in your fully managed hosting network.