The Future Is Here
We may earn a commission from links on this page

A Bug on T-Mobile’s Website Exposed Its Customers’ Personal Information

We may earn a commission from links on this page.

A major flaw on T-Mobile’s website could have allowed hackers to extract personal information belonging to millions of customers, according to the researcher who discovered it. The bug was fixed on Friday after the company was approached by a security reporter.

On Tuesday, Motherboard reported that it had contacted T-Mobile last week to inquire about a security flaw in its website. Armed with only a phone number, hackers could’ve exploited the flaw, the site said, to access the personal information of T-Mobile subscribers, including their email addresses, account numbers, and their phone’s IMSI, a unique identifier assigned to every device.


The bug was originally discovered by security researcher Karan Saini, the founder of startup Secure7. There’s no evidence that it was used for any malicious purpose.

However unlikely—and with access to illegal (yet surprisingly easy to homebrew) tech, a criminal could potentially use a person’s IMSI number to track their location or intercept calls, text messages, and metadata. Law enforcement and intelligence agencies use IMSI numbers to identify and track cellphones belonging to persons of interest, using a range of cell-site simulators, colloquially known as “Stingrays” after one of the more popular models. (Another name for a Stingray is an “IMSI catcher.”)


Saini told Motherboard that the bug would’ve allowed virtually anyone to write a script that could retrieve those account details, though, as the website noted, neo-Nazi hacker Andrew Auernheimer (weev) was imprisoned for essentially doing just that back in 2011—only with iPads.

T-Mobile, which offered Saini a $1,000 bug bounty as a reward, had a different view of how the flaw might be abused, saying that it impacted only a small portion of customers, not the full 70-plus million.

The carrier noted that the issue was resolved within 24 hours after it was reported—and for that, it deserves at least some applause.