Until recently, a bug on a T-Mobile website gave hackers access to personal details relating to wireless subscriber accounts. Saini notes that T-Mobile offered him a $1,000 reward as part of its bug bounty program.
Though the information revealed by this vulnerability may not have been as sensitive as things like addresses and social security numbers, Motherboard notes that the information that was compromised could be enough to carry out social engineering attacks like phishing. They apparently used the stolen information obtained via the hack to trick T-Mobile employees into handing over new SIM cards and hijack phone numbers by impersonating the rightful owners of the line.
"T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users."
So, even though the vulnerability has been patched, it sounds like subscribers should still be wary of anyone contacting them claiming to be a representative for the company. T-Mobile said that the issue affected only a small number of its customers, so perhaps the worst case scenario laid down by Saini wasn't realized.
T-Mobile said in a statement that "we were alerted to an issue that we investigated and fully resolved in less than 24 hours".
With Equifax data breach still lurking in everyone's mind and Accenture's irresponsible security protections only having come to light this week, this is yet another potential mega breach, where hackers didn't even need to breach into T-Mobile's network as everything was available to them thanks to a security bug.
"We have confirmed that we have shut down all known ways to exploit it", T-Mobile said.
Yesterday, however, an anonymous hacker informed Motherboard that hackers had been exploiting the T-Mobile glitch for quite some time.