A T-Mobile web domain left millions of customers’ account information — including their names, addresses, and sometimes tax identification numbers — unprotected for anyone to access. The website is designed as a customer care portal for employees, according to ZDNet, which first reported the security flaw, but it was available to find through search engines and required no password to access the tools.
Adding a customer’s phone number to the end of the web address yielded their full name, postal address, billing account number, and some account information, like whether they were past due on a bill or if their service had been suspended. In some cases, tax ID numbers were exposed as well, and the data referenced account PINs that customers used to verify their accounts when contacting support.
The website flaw had to do with an unprotected API, which T-Mobile pulled offline a day after this bug was reported through its bug bounty program. The researcher, Ryan Stevenson, received $1,000 for the find. A spokesperson told ZDNet that it did not have any evidence to suggest that customer information was inappropriately accessed. The affected website might have been live since at least October.