71 Million T-Mobile Subscribers’ Data Potentially Exposed as Blackhat Hackers Exploited a Website Bug for Months
A security vulnerability in the T-Mobile website may have leaked details of its 71 million users. Discovered by security researcher Karan Saini, the bug was in the wsg.t-mobile.com API, where he saw that querying for someone else's phone number would result in the API sending back a response containing their data. This data included user's email address, IMSI network code, billing account number, and more. Hackers who knew or guessed a user's phone number could have easily stolen data for phishing attacks and even hijacking the number itself, using it for more nefarious reasons.
"T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini told Motherboard.
"That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim."
With the Equifax data breach still lurking in everyone's mind and Accenture's irresponsible security protections only having come to light this week, this is yet another potential mega breach, where hackers didn't even need to breach into T-Mobile's network as everything was available to them thanks to a security bug.
Massive bug exposed T-Mobile subscribers' account data to anyone who had (or guessed) your phone number
Saini reports that after he contacted the telecom giant, the company patched the security bug, saying that only a small portion of its subscribers were vulnerable. It also said that "there is no indication that it was shared more broadly".
Turns out that Blackhat hackers were aware of this flaw for months and potentially used it to scrape data of millions of users. They had also uploaded a video about it helping others on how to exploit it way before Saini discovered it and got it fixed. In response to the original Motherboard report, a blackhat hacker contacted the publication revealing that the bug was known and exploited for "quite a while".
"A bunch of sim swapping skids had the [vulnerability] and used it for quite a while," the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.
If exploited, the information could be used to impersonate legitimate T-Mobile subscribers, gaining access to their online and banking accounts that are secured with two-factor SMS based authentication. In fact, the same already happened to TechCrunch writer John Biggs, who had reported in August that hackers had obtained a replacement for his T-Mobile SIM and managed to take over all his accounts that were protected by two-factor authentication. The hacker had then used the information from his Messenger and other accounts to reach out to his friends asking for bitcoins to save Biggs' father's life. The exploits, in short, are plenty once phone data is available to criminals.
However, following the tracks of Equifax and Accenture, T-Mobile also continues to suggest that it has found no evidence of any "customer accounts affected as a result of this vulnerability".