Personal Info Vulnerable, MetroPCS’ Security Issues To Blame

November 17, 2015 - Written By Daniel Fuller

Everybody and their brother seems to be getting hacked, falling victim to leaks or having massive security vulnerabilities exposed these days. Needless to say, this situation can end quite badly for the host of the vulnerable service or website as well as the customer or user whose data can be stolen. Just ask T-Mobile and Experian. It’s a bad situation all around and the frequency and severity of it happening these days is cause for serious concern. In any case, the latest member of the prestigious ranks of the once-vulnerable, saved by just and knightly white-hat hackers, is T-Mobile’s fairly recent acquisition, MetroPCS.

Up until October 22, through just a bit of savvy HTTP wizardry, anybody with a MetroPCS customer’s phone number could access such personal info as their home address, plan type, payment amount, phone model and even phone serial number. From there, of course, a malicious party could always grab more information and eventually find themselves able to access a compromised customer’s bank account and personal logins or even stalk them in real life. Perhaps worst of all, this hack would have theoretically made it possible to harvest that data on all MetroPCS customers, allowing such shady activities as the forming of botnets and robocall networks or the mass draining of bank accounts in small increments, which in some cases would not be enough to trigger banks’ security systems, meaning that unless users noticed and spoke up, the hackers could potentially drain a couple bucks from millions of accounts and end up filthy stinking rich.

Thanks to the noble efforts of Eric Taylor and Blake Welsh, who discovered the vulnerability, gathered volunteers to test it and promptly reported it to T-Mobile, nobody will be able to wield such power over MetroPCS customers. Motherboard, our source link, was the first to report on this phenomena, and of course, held the story until the hack was fixed and any inspired would-be hackers would be out of luck. A similar vulnerability popped up on AT&T’s website way back in 2010. After the fiasco with Experian, this does not bode well for T-Mobile or MetroPCS.