It only takes one. We’re not talking about Lay’s potato chips or crisps. We’re tailing off a breach at the world’s largest consumer credit agency that affected 15 million T-Mobile customers. There’s now another security hole that Big Magenta’s subsidiary, prepaid carrier MetroPCS, has just finished patching up.

But if you’re one of the 10 million customers that had their data so easily accessible, there’s little comfort in finding out that the hole was a “pretty bad f*ckup on MetroPCS’s side.”

That comment comes from one hacker who found a similar bug at AT&T’s site in 2010 which yielded him 114,000 subscribers’ emails. Begs the question why you’d see this bug at another carrier some five years later.

Two researchers found that you could obtain any subscriber’s full name, home address, service plan level, your model of phone and even device serial number through this hole.

The hack could be targeted on an individual level by inputting a MetroPCS phone number onto the payments page. On a mass scale, it would be feasible to garner 10 million subscribers’ information through a rather basic script in just about two days.

Since MetroPCS is a prepaid carrier, it does not ask for Social Security numbers. However, the info obtained would be enough for a single miscreant to commit identity fraud, spoofing of conversation content.

The research team contacted the source for this story which, in turn, contacted T-Mobile about the bug before publishing its story. A T-Mobile spokesperson said that the company appreciated the “responsible disclosure,” but declined further comment.

And the good news insofar that we know is that there’s been no evidence that the information has been used or even stolen.

Source: Motherboard
Via: Engadget