T-Mobile apparently suffered the effects of a previously unreported vulnerability several months ago which would have allowed hackers to log into the site as any one of the company’s subscribers. In fact, the bug was reportedly noted back on December 19 and, according to a statement released by the service provider, was fixed within hours of being reported via HackerOne by Kane Gamble. What makes this vulnerability look particularly bad for T-Mobile is that it was effectively the result of the company leaving customer login logs exposed. Because Gamble knew where to look, within just three checks of the log and the associated session cookies, he was able to gain access to more than 800 customers credentials. Perhaps most worryingly, T-mobile has not revealed any information regarding the length of time for which customer data may have been left out in the open.
With that said, the company has said that there is no evidence that any customer accounts were compromised, as of this writing. Representatives of the company went a bit further and have said that if there had been any evidence of a breach, T-Mobile would have come forward. However, as is often the case with these kinds of vulnerabilities, it could take days, weeks, or months before any credentials that may have been stolen are actually used. So, in the meantime, anybody who happens to be a T-Mobile customer may want to log in to check their account and change their password. It goes without saying that any suspicious account changes should be reported to the carrier immediately.
Meanwhile, this was not the only major security problem to affect T-Mobile over the course of the last year. A public service was sent out earlier this month in response to an industry-wide SIM hijacking scam. That message has been speculated to have actually originated from issues associated with an earlier security issue the company experienced which bore a resemblance to this new breach. That problem was noted back in October of last year and also centered the site inadvertently leaking customer information. Unfortunately, this is beginning to look suspiciously like a T-Mobile-specific problem since it doesn’t appear to be affecting other carriers. But it’s important to bear in mind that there’s no way to be sure whether or not that is the case.