PSA: T-Mobile Subdomain Leaked User Account Details In April


According to recent reports, a hidden API on a T-Mobile subdomain which was discovered to be a security risk back in April may have leaked sensitive customer account details. Specifically, that was a bug in the API of the subdomain "" It allowed anybody who put in a phone number to get a wealth of information associated with that number with no extra effort whatsoever. Initially, it was discovered by a security researcher named Ryan Stevenson and immediately reported to T-Mobile. To the carrier's credit, just a day after the bug in the API was discovered it was taken down by the company. They subsequently reported that no accounts appeared to have been affected and rewarded Stevenson for his report. However, if new reports bear any weight, it turns out that hackers had known about and been exploiting the bug for weeks.

Making matters worse, the API appears to have been exposed as far back as October of 2017. That leaves quite a large swath of time for hackers to discover it and steal customer data and there was quite a lot of information available for some accounts – with T-Mobile's latest report touting as many as 74 million subscribers. By putting in a mobile number, would-be hackers would have had access to the customer's full name, postal address, and billing account number. Moreover, in a few notable cases, even tax identification numbers were reportedly available, in addition to account PINs. Those are the PINs used to verify customers when they call in or visit a retail location. That means that accounts could have easily been stolen with the data, leaving alone the risk to other aspects of a customer's identity.

As of this writing, there appears to be no solid figures with regard to how many accounts may have been affected and T-Mobile hasn't released any new statements since the breach was discovered in April. So it isn't immediately clear how the cell service provider is handling the situation. What's more, this isn't the only problem T-Mobile has had with security recently, either. Earlier this week one T-Mobile customer was the victim of an apparently unrelated unauthorized SIM swap which resulted in several social media accounts being stolen as well. That problem was dealt with quickly, as most of T-Mobile's security issues have been but it may be too soon to consider this newly discovered situation as being resolved.

Share this page

Copyright ©2018 Android Headlines. All Rights Reserved.

This post may contain affiliate links. See our privacy policy for more information.
Junior Editor

Daniel has been writing for AndroidHeadlines since 2016. As a Senior Staff Writer for the site, Daniel specializes in reviewing a diverse range of technology products and covering topics related to Chrome OS and Chromebooks. Daniel holds a Bachelor’s Degree in Software Engineering and has a background in Writing and Graphics Design that drives his passion for Android, Google products, the science behind the technology, and the direction it's heading. Contact him at [email protected]

View Comments