In the words of a famous disc jockey: “Another one.” A young hacker-turned-security researcher in England found a critical vulnerability on T-Mobile’s website that basically left records of user logins exposed online for hackers to pillage. The bug was reported and patched in December, and T-Mobile says no customer information was compromised as a result of this flaw.
Kane Gamble, who pled guilty to trying to hack into the email accounts of senior U.S. government officials in 2015 and 2016, spotted and reported the bug to T-Mobile on December 19th, 2017. According to an email statement T-Mobile gave to Motherboard, the bug was marked as critical and “fixed within a matter of hours.” The carrier also said it found “no evidence of customer information being compromised.” Gamble was given a $5,000 reward for reporting the vulnerability.
“Everyone that was logging in could’ve had their account hacked,” Gamble told Motherboard. He noted that he got a hold of more than 800 customer logins by accessing the exposed logs just three times.
It’s unclear how long T-Mobile’s website had this vulnerability, though the company said “if there had been customer impact we would have immediately taken proper steps to follow up.” (For what it’s worth, I was forced to change my password for the first time ever when I tried logging in to my T-Mobile online account this week.)
Earlier this month, a customer in Washington sued T-Mobile for improperly porting his number, which opened the door for someone to take off with his cryptocurrency. In October, a security researcher revealed a bug that allowed hackers to steal personal account information with the use of just a phone number. So yeah, the “Un-carrier” may have some trust building to do in the months ahead.