It seems we can't go a week without a major breach in security at a huge company, with T-Mobile's website now reportedly hacked and the data from 76 million of its users could be exposed.
Security researcher Karak Saini discovered the bug in the wsg.t-mobile.com API, where if someone searched for someone else's number, the API sending back the data would include that users' data. The data in question included users' email addresses, IMSI network code, billing account data, and more. All hackers had to do was know, or guess a user's phone number, and they could have virtually all of that person's information, and more.
Saini spoke with Motherboard, where he said: "T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users".
Saini told T-Mobile about the issue, with the telco fixing the security bug and reassuring everyone that only a small portion of their subscribers were open to this attack. T-Mobile added that "there is no indication that it was shared more broadly". Blackhat hackers have had access to this flaw for months, and could've taken the data from millions upon million of users' data.
One of the blackhat hackers had a response to the original Motherboard story, saying that the bug was known and exploited for "quite a while".