T-Mobile website bug let hackers steal data with a phone number

"Black hats" posted a YouTube tutorial on how to exploit it months ago.

Tak Yeung via Getty Images

Up until last week, a T-Mobile website had a serious security hole that let hackers access user's email addresses, accounts and a phone's IMSI network code, according to a report from Motherboard. Attackers only needed your phone number to obtain the information, which could be used in social engineering attacks to commandeer your line, or worse.

The security researcher who discovered the hole, Karan Saini from startup Secure7, notes that anyone could have run a script to scrape the data of all 76 million T-Mobile users and create a searchable database. "That would effectively be classified as a very critical data breach, making every T-mobile cell phone owner a victim," he told Motherboard.

T-Mobile told Engadget in a statement that "we resolved the vulnerability that was reported to us by the researcher in less than 24 hours and we have confirmed that we have shut down all known ways to exploit it. As of this time we've found no evidence of customer accounts affected as a result of this vulnerability." Saini notes that T-Mobile offered him a $1,000 reward as part of its bug bounty program.

A bunch of SIM swapping kids had [the hack] and used it for quite a while.

However, an anonymous hacker disputes T-Mobile's claim that the bug wasn't shared broadly, telling Motherboard that "a bunch of SIM swapping kids had [the hack] and used it for quite a while." They could have exploited the data to "socially engineer," or basically con, T-Mobile technicians into handing over replacement SIMs by pretending they're the owners of the line. Motherboard also discovered a YouTube video dated August 6th that describes exactly how to execute the hack.

In fact, this is exactly what happened to Techcrunch writer John Biggs on August 22nd. After impersonating him and obtaining a replacement for his T-Mobile SIM, a hacker was able to quickly change his Gmail, Facebook, and other passwords, even though they were protected by two-factor SMS authentication.

It's impossible to say whether information obtained via the security hole helped the hackers swindle hapless T-Mobile tech support employees into sending them replacement SIMs, but it certainly appears plausible. (Tech support folks are supposed to require security question responses, invoices and other information, but often hand over SIMs to smooth-talking hackers without it.) We've reached out to T-Mobile and the FCC to find out if there was an uptick in such attacks over the last few months.

Update: The article has been updated to include T-Mobile's statement.