According to recent reports, a hidden API on a T-Mobile subdomain which was discovered to be a security risk back in April may have leaked sensitive customer account details. Specifically, that was a bug in the API of the subdomain "promotool.t-mobile.com." It allowed anybody who put in a phone number to get a wealth of information associated with that number with no extra effort whatsoever. Initially, it was discovered by a security researcher named Ryan Stevenson and immediately reported to T-Mobile. To the carrier's credit, just a day after the bug in the API was discovered it was taken down by the company. They subsequently reported that no accounts appeared to have been affected and rewarded Stevenson for his report. However, if new reports bear any weight, it turns out that hackers had known about and been exploiting the bug for weeks.
Making matters worse, the API appears to have been exposed as far back as October of 2017. That leaves quite a large swath of time for hackers to discover it and steal customer data and there was quite a lot of information available for some accounts – with T-Mobile's latest report touting as many as 74 million subscribers. By putting in a mobile number, would-be hackers would have had access to the customer's full name, postal address, and billing account number. Moreover, in a few notable cases, even tax identification numbers were reportedly available, in addition to account PINs. Those are the PINs used to verify customers when they call in or visit a retail location. That means that accounts could have easily been stolen with the data, leaving alone the risk to other aspects of a customer's identity.
As of this writing, there appears to be no solid figures with regard to how many accounts may have been affected and T-Mobile hasn't released any new statements since the breach was discovered in April. So it isn't immediately clear how the cell service provider is handling the situation. What's more, this isn't the only problem T-Mobile has had with security recently, either. Earlier this week one T-Mobile customer was the victim of an apparently unrelated unauthorized SIM swap which resulted in several social media accounts being stolen as well. That problem was dealt with quickly, as most of T-Mobile's security issues have been but it may be too soon to consider this newly discovered situation as being resolved.