With the massive Equifax hack still fresh in our minds, we’re now learning that a bug on T-Mobile’s website made it very easy for hackers to make off with subscriber information. The information that was potentially put at risk includes email addresses, T-Mobile account numbers, and the IMSI number from customer phones. All those hackers needed to access that information was your phone number, which isn’t exactly a difficult thing to find (or even stumbled upon).
Though the information revealed by this vulnerability may not have been as sensitive as things like addresses and social security numbers, Motherboard notes that the information that was compromised could be enough to carry out social engineering attacks like phishing. Beyond that, since IMSIs – unique numbers that identify mobile subscribers on T-Mobile’s network – were included in the exposed data, what was left vulnerable could be enough to hijack phone numbers.
The scale of this breach seems to be limitless as well. Motherboard spoke to Karan Saini, a security researcher from Secure7, who said that all 76 million T-Mobile subscribers could have had their data exposed through this vulnerability. It isn’t out of the question that hackers could have coded a script to collect this data, thereby putting all T-Mobile subscribers at risk.
T-Mobile, to its credit, claims to have patched the vulnerability less than 24 hours after Motherboard alerted it last week. T-Mobile said that the issue affected only a small number of its customers, so perhaps the worst case scenario laid down by Saini wasn’t realized. Still, after Motherboard ran its story, an anonymous blackhat hacker got in touch and claimed that the bug had been exploited by others seemingly before Saini discovered it, with some of those hackers even taking over customer phone numbers.
So, even though the vulnerability has been patched, it sounds like subscribers should still be wary of anyone contacting them claiming to be a representative for the company. It seems that we don’t know just how many customers were affected by this vulnerability, so if T-Mobile talks about it any further, we’ll be sure to let you know.