2017 has been a year which has seen many companies coming to grips with massive database breaches. The personal information of hundreds of millions of people has poured out into the wild. Every company out there should be on maximum guard to ensure that they are not in the headlines as well. Unfortunately, it seems that T-Mobile did not heed the examples set by other compromised conglomerates and the wireless carrier may soon find itself in the headlines.
A vulnerability was discovered in T-Mobile’s customer-facing website at some point this summer. The webpage in question was wsg.T-Mobile.com. The page used an Application Interface(API) which was easily manipulated by a person with the phone number of a T-Mobile subscriber. In fact, a script could be run to allow countless random numbers to be queried into their database for information. When a valid phone number was presented, a page would display unencrypted account data, including credit card numbers, addresses and names. The hack so well known, that in early August a tutorial video was put up on YouTube. Hackers have claimed that they have been using the exploit since at least this time period.
Fast-forward about two months and T-Mobile is alerted of the hole by an anonymous security researcher via Motherboard’s Lorenzo Franceschi-Bicchierai. T-Mobile was notified on October 5th about the issue and they corrected the vulnerability in their system the following day. Roughly a week later T-Mobile issued a public statement noting that they had discovered a vulnerability in their system which only affected a limited number of customers and that no data had been lost. Based on the information available at this time, it is highly unlikely that only a limited number of customers were affected. It is similarly unlikely that no data was compromised. The most likely outcome of this all is that T-Mobile will soon have to amend their disclosure to reflect that their entire database was wide open to hackers for some time and a good number of accounts were compromised.
There is an extra layer of concern with this breach. After stealing customer data, a hacker could then use that data to call into T-Mobile and request a replacement SIM card. In an attempt to improve account security, many people have added two-factor authentication to their various accounts. This two-factor authentication will send the user a unique code via email or SMS after they have successfully entered their password. With a nefariously acquired SIM card, thieves would now be able to bypass that additional security verification step. There have already been journalists and media personalities who were victims of this type of attack. I expect that there will likely be more reports in the coming months.
As this is an ongoing and unfolding story, we will continue to report as more information becomes available.