One of T-Mobile’s websites left a tool exposed that let anyone look up personal account data on the carrier’s customers, it has been revealed. Users only required the customer’s phone number to retrieve the information, leaving many people vulnerable to data theft. The issue has since been fixed, but it’s unclear how many customers may have been impacted by it.
The issue was discovered in April by security researcher Ryan Stevenson, according to ZDNet, which states that T-Mobile removed access to the tool a day after being notified. Stevenson was awarded $1,000 under the carrier’s bug bounty program.
A subdomain called promotool.t-mobile.com was the source of the data exposure. According to the report, it appears the domain was intended for T-Mobile workers to access customer information during the course of their job. However, it could be discovered using search engines, providing anyone who found it with potential access to any customer’s data.
When visiting the promo tool domain now, visitors are presented with a simple “Customer Care Portal” note and a “Sign In” link. Only those with credentials can sign in to use the portal. Unfortunately, it left a large amount of data exposed.
According to ZDNet, before being fixed, the customer care portal provided information that included things like tax ID numbers, the customer’s complete name, account number, address, service and bill payment status, and possibly even account PINs. This isn’t the first time T-Mobile has left customer info exposed. Late last year, Motherboard discovered a similar bug that let hackers access account information using only the customer’s phone number.