A T-Mobile USA website subdomain easily allowed anyone with a customer’s phone number to obtain personal information about them.

According to ZDNet, promotool.t-mobile.com was an employee tool easily accessible through search engines and was not protected by a password. Employees did specific look-ups by adding the customer’s cellphone number to the end of the address.

What was revealed was the customer’s full name, billing address and account numbers with tax information for some customers, account PINs for access to privileged account actions — such as canceling an account or changing personal details — and details of any overdue bills or service suspensions.

The subdomain was pulled offline after bug hunter Ryan Stevenson reported the vulnerability to the company in April for a $1,000 bounty. However, it’s not clear how long the URL was live — the Internet Archive has logged a copy of the page from last October.

T-Mobile issued a statement, a portion of which reads:

The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure […] The bug was patched as soon as possible and we have no evidence that any customer information was accessed.

A similar exploit on T-Mobile’s site — also allowing access to personal information with just a phone number — was uncovered in October by Motherboard. It was independently verified that data was being taken through this method for weeks. The company’s prepaid subsidiary, MetroPCS, has also been subject to the same number entry exploit for its website in November 2015.

Jules Wang is News Editor for Pocketnow and one of the hosts of the Pocketnow Weekly Podcast. He came onto the team in 2014 as an intern editing and producing videos and the podcast while he was studying journalism at Emerson College. He graduated the year after and entered into his current position at Pocketnow, full-time.

You May Also Like
Samsung Galaxy Note 20 Ultra Black Friday Deals Pocketnow
Samsung Galaxy Note 20 Ultra, OnePlus 9 and more on sale
Today’s best deals come from Amazon and B&H, where you will find the Samsung Galaxy Note 20 UItra, Sony headphones, and more on sale
Samsung JN1 is the world’s smallest 50MP image sensor
All of its tech is embedded in a small 1/2.76-inch optical format. Samsung says that the ISOCELL JN1 is its most versatile image sensor yet.
oneplus nord pocketnow
OnePlus Nord CE revealed one day before its official launch
Check out the latest leak concerning the OnePlus Nord CE, where we get to see what seems to be an official promo video