Hackers have been spreading around a method to access any T-Mobile customer’s personal information, including account members’ upgrade and billing information, email, IMSI and other associated phone numbers.
All it takes is rendering script with an authorized token to T-Mobile’s site and plugging in a phone number at the end of it. Exploits of this type have also affect AT&T iPad accounts and MetroPCS.
While it was first publicly reported to Motherboard by security firm Secure7, an anonymous blackhat hacker later told the said publication that the bug had been exploited since at least early August. It’s not clear if any widespread compromise has been committed or if it would have been monetarily valuable to malicious actors, but even on an individual level, it can be pretty tough.
“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” said the hacker, to illegally steal phone numbers from people.
User location data would also be compromised through by obtaining access to the SS7 infrastructure.
T-Mobile patched the exploit last week and gave Secure7 founder Karan Saini a bounty reward of $1,000. It later stated that it “found no evidence of customer accounts affected as a result of this vulnerability.”
In 2015, Experian admitted that a breach had compromised millions of T-Mobile customers data.