T-Mobile Security Vulnerability Exposed Users’ Account Data
A security bug discovered last week may have endangered the account data of T-Mobile’s 70 million customers.
Using the exploit, hackers needed only to enter a phone number to gain access to a customer’s personal data. The data returned by a simple search query included their name, email and the other phone numbers on their account.
“A Critical Data Breach”
Saini told Motherboard “an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members)” of the company’s 70 million customers. He said the data could be used to “create a searchable database with accurate and up-to-date information of all users.”
This would “effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim.”
For their part, T-Mobile says the bug was fixed within 24 hours. They also claim it only affected a small portion of their customers, and that they’ve “found no evidence of customer accounts affected as a result of this vulnerability.”
However, Lorenzo Franceschi-Bicchierai, author of the Motherboard article, disagrees. He says he was contacted by a hacker who said the bug had, in fact, been found and exploited by “malicious hackers.” Franceschi-Bicchierai said that “to prove their claim, the hacker sent me my own account’s data.”
Further, it’s hard to believe the exploit hadn’t been taken advantage of when a video walkthrough was posted to YouTube. Uploaded on Aug. 8, the video’s description reads, “Still works as of start of August.”
One potential use of the data would be to conduct what’s known as a “sim swap.” Hackers would call T-Mobile’s customer service department and use the account data to request a new SIM card number. They could then take control of the person’s phone number, rerouting calls and texts to the hacker.
This method can also enable hackers to get through the text message two-factor authentification used by many online accounts. Services such as email clients, banks and even tax preparers will text one-time codes for users to log in to their accounts. After a “sim swap,” the hacker would receive the code, instead of the victim.
What Can I Do to Protect Myself?
If you have an account with T-Mobile, there is a way to protect yourself. T-Mobile allows users to create a customer care password to identify themselves when calling customer service. You can learn more at T-Mobile’s Privacy & Security Resources page.