We may earn a commission for purchases made using our links.

A T-Mobile USA website subdomain easily allowed anyone with a customer’s phone number to obtain personal information about them.

According to ZDNet, promotool.t-mobile.com was an employee tool easily accessible through search engines and was not protected by a password. Employees did specific look-ups by adding the customer’s cellphone number to the end of the address.

What was revealed was the customer’s full name, billing address and account numbers with tax information for some customers, account PINs for access to privileged account actions — such as canceling an account or changing personal details — and details of any overdue bills or service suspensions.

The subdomain was pulled offline after bug hunter Ryan Stevenson reported the vulnerability to the company in April for a $1,000 bounty. However, it’s not clear how long the URL was live — the Internet Archive has logged a copy of the page from last October.

T-Mobile issued a statement, a portion of which reads:

The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure […] The bug was patched as soon as possible and we have no evidence that any customer information was accessed.

A similar exploit on T-Mobile’s site — also allowing access to personal information with just a phone number — was uncovered in October by Motherboard. It was independently verified that data was being taken through this method for weeks. The company’s prepaid subsidiary, MetroPCS, has also been subject to the same number entry exploit for its website in November 2015.

You May Also Like
US Customs says OnePlus Buds are ‘counterfeit earbuds’ that violate AirPods trademarks
The US Customs and Border Protection identifies the OnePlus Buds as “counterfeit Apple Airpod Earbuds” that violate AirPods trademarks.
Samsung Galaxy Note 20, Apple’s iPhone XR and more devices on sale today
Today’s deals come from Amazon, where we find the Samsung Galaxy Note 20, the MacBook Air and more devices on sale
Here’s your first look at Apple’s upcoming AirPods Studio wireless headphones
AirPods Studio rock an extremely minimalsit design and they will be reversible too, but no word on the presence of ANC tech yet.