An unsecured T-Mobile website made customer information available to anyone

An unsecured T-Mobile website made customer information available to anyone

6 years ago
Anonymous $CLwNLde341

https://www.theverge.com/2018/5/24/17390678/tmobile-api-website-flaw-hack

A T-Mobile web domain left millions of customers’ account information — including their names, addresses, and sometimes tax identification numbers — unprotected for anyone to access. The website is designed as a customer care portal for employees, according to ZDNet, which first reported the security flaw, but it was available to find through search engines and required no password to access the tools.

Adding a customer’s phone number to the end of the web address yielded their full name, postal address, billing account number, and some account information, like whether they were past due on a bill or if their service had been suspended. In some cases, tax ID numbers were exposed as well, and the data referenced account PINs that customers used to verify their accounts when contacting support.