ZDNet Researcher Ryan Stevenson recently found a big problem on T-Mobile's website regarding an unprotected API. As a result of the flaw, untold millions of T-Mobile's customers' account information was left exposed and completely unprotected. Literally anyone who stumbled across the site and tried to abuse it could access a wide range of customer information with no password required.
This includes, but is not limited to:
- Customer name
- Phone number
- Mailing Address
- Account Number
- The status of the account (current, past due, suspended, etc.)
In an unknown number of cases, tax IDs and PINs were also exposed.
T-Mobile has a bug bounty program and pays a bounty to anyone who discovers a flaw that impacts the company. Stevenson received a $1,000 reward for discovering the issue, and subsequent research revealed that the flaw had been present on the company's website since October, 2017 or prior.
T-Mobile's handling of the incident has been less than stellar so far. Although they have acknowledged the existence of the issue and have already moved to correct it, the company has issued no information relating to how many customer records were exposed.
There is no evidence that any of the exposed records were inappropriately accessed. Typically, when an incident like this occurs, the company in question provides details relating to the scope and scale of the incident, informs all potentially impacted customers and usually provides a year of free credit and identity monitoring. So far, none of that has occurred.
While it's certainly possible that the company may take these steps in the future, we were both surprised and disappointed that they had not already done so, especially given the fact that this was essentially a self-inflicted wound. Here's hoping that in the days ahead, they do something to earn back the lost trust.