Unprotected T-Mobile API Let Anyone Get Customer Data With Just a Phone Number

by

A security vulnerability in T-Mobile's website let anyone gain access to the personal details of any T-Mobile customer using just a phone number, reports ZDNet.

An internal T-Mobile employee tool, promotool.t-mobile.com, had a hidden API that provided T-Mobile customer data when a customer's cell phone number was added to the end of the web address. Data that was available included full name, address, billing account number, and for some customers, tax identification numbers.

tmobile logo
Account data, such as service status and billing status was also included, but it does not appear that credit card numbers, passwords, or other sensitive information was compromised. ZDNet says that there were "references to account PINs used by customers as a security question" which could be used to hijack T-Mobile accounts.

The API was used by T-Mobile staff to look up customer data, but it was accessible to the public and not protected by a password. T-Mobile rectified the issue in early April after it was disclosed by security researcher Ryan Stevenson, who ultimately earned $1,000.

In a statement provided to ZDNet, T-Mobile says that it does not appear customer data was accessed using the API, but research suggests the API had been exposed since at least October 2017.

A T-Mobile spokesperson said: "The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure." "The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

This is not the first unprotected API issue that T-Mobile has faced. Last year, a similar bug also exposed customer data to hackers.

T-Mobile has more than 74 million customers, and had this most recent bug been exploited, a simple script could have provided hackers with access to data on millions of people.

Tag: T-Mobile

Popular Stories

iOS 26

15 New Things Your iPhone Can Do in iOS 26.2

Friday December 5, 2025 9:40 am PST by
Apple is about to release iOS 26.2, the second major point update for iPhones since iOS 26 was rolled out in September, and there are at least 15 notable changes and improvements worth checking out. We've rounded them up below. Apple is expected to roll out iOS 26.2 to compatible devices sometime between December 8 and December 16. When the update drops, you can check Apple's servers for the ...
Read Full Article51 comments
Intel Inside iPhone Feature

Apple's Return to Intel Rumored to Extend to iPhone

Friday December 5, 2025 10:08 am PST by
Intel is expected to begin supplying some Mac and iPad chips in a few years, and the latest rumor claims the partnership might extend to the iPhone. In a research note with investment firm GF Securities this week, obtained by MacRumors, analyst Jeff Pu said he and his colleagues "now expect" Intel to reach a supply deal with Apple for at least some non-pro iPhone chips starting in 2028....
Read Full Article152 comments
iPhone 14 Pro Dynamic Island

iPhone 18 Pro Leak Adds New Evidence for Under-Display Face ID

Monday December 8, 2025 4:54 am PST by
Apple is actively testing under-screen Face ID for next year's iPhone 18 Pro models using a special "spliced micro-transparent glass" window built into the display, claims a Chinese leaker. According to "Smart Pikachu," a Weibo account that has previously shared accurate supply-chain details on Chinese Android hardware, Apple is testing the special glass as a way to let the TrueDepth...
Read Full Article72 comments
iOS 26

Apple Seeds Second iOS 26.2 Release Candidate to Developers and Public Beta Testers

Monday December 8, 2025 10:18 am PST by
Apple today seeded the second release candidate version of iOS 26.2 to developers and public beta testers, with the software coming one week after Apple seeded the first RC. The release candidate represents the final version iOS 26.2 that will be provided to the public if no further bugs are found. Registered developers and public beta testers can download the betas from the Settings app on...
Read Full Article48 comments
iPhone 17 Pro Cosmic Orange

10 Reasons to Wait for Next Year's iPhone 18 Pro

Monday December 1, 2025 2:40 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article107 comments
Johny Srouji

Apple Chip Chief Johny Srouji Could Be Next to Go as Exodus Continues

Sunday December 7, 2025 10:41 am PST by
Apple's senior vice president of hardware technologies Johny Srouji could be the next leading executive to leave the company amid an alarming exodus of leading employees, Bloomberg's Mark Gurman reports. Srouji apparently recently told CEO Tim Cook that he is "seriously considering leaving" in the near future. He intends to join another company if he departs. Srouji leads Apple's chip design ...
Read Full Article381 comments
Johny Srouji

Apple's Chipmaking Chief Johny Srouji Responds to Report About Him Potentially Leaving

Monday December 8, 2025 9:23 am PST by
Apple's chipmaking chief Johny Srouji has reportedly indicated that he plans to continue working for the company for the foreseeable future. "I love my team, and I love my job at Apple, and I don't plan on leaving anytime soon," said Srouji, in a memo obtained by Bloomberg's Mark Gurman. Here is Srouji's full memo, as shared by Bloomberg:I know you've been reading all kind of rumors and...
Read Full Article86 comments
top stories 2025 12 04a

Top Stories: iOS 26.2 Coming Soon, Apple Execs Depart, and More

Saturday December 6, 2025 6:00 am PST by
You'd expect things to be starting to wind down for the holidays by now, but that doesn't seem to be the case yet in the world of Apple news, with Apple just about ready to release iOS 26.2 and other operating system updates to the public. There was also a flurry of news this week about Apple executive departures, some expected and some not so expected, while we also learned that Apple and...
Read Full Article8 comments
maxresdefault

iPhone Fold: Launch, Pricing, and What to Expect From Apple's Foldable

Monday December 1, 2025 3:00 am PST by
Apple is expected to launch a new foldable iPhone next year, based on multiple rumors and credible sources. The long-awaited device has been rumored for years now, but signs increasingly suggest that 2026 could indeed be the year that Apple releases its first foldable device. Subscribe to the MacRumors YouTube channel for more videos. Below, we've collated an updated set of key details that ...
Read Full Article56 comments

Top Rated Comments

dhess34 Avatar
dhess34
99 months ago
Pro tip from someone that works in Information Assurance, and has been involved in cleaning up several companies’ similar messes: anytime you see “we have no evidence that any customer information was accessed”, you can assume that they have zero logging. They ‘have no evidence’ because they have no logs; they aren’t saying it didn’t happen, it’s just a nice way to make it seem like nothing bad happened. Ask for evidence proving nothing bad happened, and you’ll be met with a horrified stare.
Score: 19 Votes (Like | Disagree)
profets Avatar
profets
99 months ago
Makes me think back to this conversation with TMobile on Twitter about the passwords being stored in plaintext (though it was TMO Austria).

https://twitter.com/tmobileat/status/981418339653300224

“Our security is amazingly good” LOL



Attachment Image
Score: 16 Votes (Like | Disagree)
Analog Kid Avatar
Analog Kid
99 months ago
Until we start punishing these stupid mistakes with penalties that actually hurt, this is just going to happen over and over...
Score: 15 Votes (Like | Disagree)
PlainviewX Avatar
PlainviewX
99 months ago
Only $1000 for a catastrophic possible breach discovery? That's like getting paid $45 in a contest that was used as the Mets logo.
Score: 9 Votes (Like | Disagree)
FlipPhony Avatar
FlipPhony
99 months ago
#uncarrier #unsafe #uncool
Score: 2 Votes (Like | Disagree)
justperry Avatar
justperry
99 months ago
#uncarrier #unsafe #uncool
Doesn't that apply to most big providers in the USA.:rolleyes:
The other big ones have their own "issues".
Score: 2 Votes (Like | Disagree)
Read All Comments