The flaw, which Motherboard said was discovered by security researcher Karan Saini, could have allowed hackers who knew — or guessed — a customer’s phone number to obtain data valuable in social engineering attacks, or perhaps even hijacking victim’s numbers. The bug was repaired Friday after Motherboard asked the wireless carrier about the issue.
Saini told Motherboard that an attacker could leverage the vulnerability by writing a script to siphon data from T-Mobile’s 76 million customer accounts to create a searchable database of up-to-date information on its users. He classified it as “a very critical data breach.”
T-Mobile didn’t immediately respond to a request for comment but disputed Saini’s conclusions, saying in a statement to Motherboard that only a small part of its customers were impacted by the bug.
“We were alerted to an issue that we investigated and fully resolved in less than 24 hours,” T-Mobile said in a statement. “There is no indication that it was shared more broadly.”
This isn’t the first time T-Mobile customers’ personal data has been exposed. Hackersby going after Experian, the company that processes the wireless carrier’s credit checks. The credit-reporting bureau said in 2015, over a two-year period, hackers made off with data that included customers’ names, birth dates, addresses and Social Security and drivers’ license numbers.
Special Reports: All of CNET’s most in-depth features in one easy spot.
It’s Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.