Until recently, a bug on a T-Mobile website gave hackers access to personal details relating to wireless subscriber accounts. What's really surprising about this particular attack vector is that hackers only needed a T-Mobile customer's phone number to gain access to private account details.
Karan Saini, a researcher from Secure7, first discovered and reported on the exploit noting that a script could be run to siphon data including email addresses, customer names, billing account numbers and even a phone's ISMI number. Because of the nature of the exploit, all of T-Mobile's 76 million customers could have been susceptible.
"That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," said Saini, noting that the bug was found nestled in the wsg.t-mobile.com API.
For its part, T-Mobile was quick to respond, patching up the exploit shortly after it was first notified. "We were alerted to an issue that we investigated and fully resolved in less than 24 hours," said T-Mobile in a statement to Motherboard. "There is no indication that it was shared more broadly."
So, that's the end of the story, right? Wrong! Motherboard was contacted by a blackhat hacker who claims that the website bug has been known about for quite some time, and has already been exploited by nefarious parties. "A bunch of sim swapping skids had the [vulnerability] and used it for quite a while," said the hacker, who wished to remain anonymous.
In a YouTube how-to video dated August 6th, you'll find a detailed guide of how hackers were able to infiltrate T-Mobile's system and obtain customer data:
If all of this sounds familiar, it's because this appears to be the very same exploit that sent a TechCrunch editor through hell when his digital identity was hacked.