It seems that poor security and engineering behind the website of US carrier MetroPCS would’ve allowed hackers to make off with the personal data of over 10 million subscribers. At least, until it was fixed just earlier this month. In a new report from Motherboard, it was revealed that a pair of security researchers discovered a bug in the MetroPCS website that left data including customer’s addresses and their phone’s serial number exposed to cybercriminals.
Eric Taylor and Blake Welsh are the security researchers who found the flaw on MetroPCS’s payment page, in addition to other bugs at Comcast and Verizon in the past. In the case of MetroPCS, which is owned by T-Mobile, anyone who knew a subscriber’s phone number could easily get ahold of their home address, type of mobile plan, and their phone model and serial number. With that data in hand, cybercriminals could then easily move on to identity theft and accessing bank accounts.
It seems MetroPCS was completely unaware of the problem before being contacted by Motherboard prior to their published report. The carrier says the bug has been fixed, so customers’ data is no long at risk, and there was no evidence that the information was accessed before the researchers discovered the bug.
But what makes the situation really scary, is that according to several security experts that spoke to Motherboard, hackers wouldn’t even need someone’s phone number. Along with a little programming knowledge, “an attacker could have just run an automated script and harvested the personal data of many, if not all, MetroPCS customers.”