Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Communications Security United States

T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number (vice.com) 62

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer's T-Mobile account number, and the phone's IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug. The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew -- or guessed -- your phone number to obtain data that could've been used for social engineering attacks, or perhaps even to hijack victim's numbers. "T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, who is the founder of startup Secure7, told Motherboard in an online chat. "That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," he added.
This discussion has been archived. No new comments can be posted.

T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number

Comments Filter:
  • Guess what service I'm glad I nev... well, shit. A time to be glad I'm not the actual account owner (family plan).
  • Hacker? (Score:4, Insightful)

    by DontBeAMoran ( 4843879 ) on Tuesday October 10, 2017 @01:55PM (#55344617)

    T-Mobile website allowed hackers to access your account data with just your phone number.

    If all it takes is to type a phone number in the URL then it's not hacking.

    "Unlocked doors allow thieves to open them" sounds as stupid. If they're unlocked, anyone can open them, not just thieves.

    • Re:Hacker? (Score:4, Informative)

      by TooMuchToDo ( 882796 ) on Tuesday October 10, 2017 @02:01PM (#55344665)

      The US government considers it so, and prosecutes for it.

      "A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website was sentenced on Monday to 41 months in prison followed by three years of supervised release."

      https://www.wired.com/2013/03/... [wired.com]

      • by Anonymous Coward

        That's because the U.S.A. government is run by a bunch of technology-ignorant fools.

      • Sometimes it's obvious you shouldn't be doing that, and sometimes it's not.

        People get in trouble for both scenarios.

        e.g. URL munging the application website at Harvard to see application status results in offers being retracted

        https://arstechnica.com/uncate... [arstechnica.com]

    • by Anonymous Coward

      Try using that excuse when going in a stranger's house

  • All my other info is out there anyway. If they already know my phone number, there's not much else they need. Thanks, Equifax.
  • It was a feature. But don't tell the press that!
  • by Anonymous Coward

    Seems like Equifax can learn a thing or two from T-Mobile.. they're much better at fixing bugs/security holes

  • by Anonymous Coward

    My phone company back in the 1980s would accidentally mail me a thick book with everyoneâ(TM)s phone number and physical address. I really could have done some crazy stuff with it, but the most I did with it was to call my classmateâ(TM)s house..

  • "call 1-805-637-7243, otherwise known as the "Voice Mail Back Door number." When you hear the prompt, i.e. "Welcome to the T-Mobile
    messaging center. Please enter the 10-digit number of the person you
    are trying to reach," enter the number. You will then be connected
    directly with that person's voicemail. Press "1" to leave a message,
    leave your message and hang up." http://answers.google.com/answ... [google.com]

  • Every day like their has been for a few days now... IT will finally be forced to turn into a profession.

  • ....should just get a new identity and move. We get random names, SSNs, and addresses assigned and start our lives over from scratch.

When someone says "I want a programming language in which I need only say what I wish done," give him a lollipop.