A T-Mobile API exposed customer data of any customer, and all you needed was a phone number, according to ZDNet. T-Mobile shut the API down after it was reported through the company’s bug bounty program and said there was no evidence data was actually accessed.
In a statement, T-Mobile said:
The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure. The bug was patched as soon as possible and we have no evidence that any customer information was accessed,” the spokesperson added.
We’ve Been Down this Road Before
Of course, T-Mobile said the same thing about a similar API on a different subdomain that came to light in October of 2017. Motherboard reported then that though T-Mobile said there was no evidence data was accessed, data was accessed.
Information exposed included name, address, billing account number, and Tax ID info (where that was pertinent, i.e. businesses). Oh, and your PIN for contacting customer support, which could have allowed bad guys to hijack your account. And, of course, people reuse PINs at least as often as they reuse passwords.
Don’t reuse passwords or PINs. Don’t do it. Do NOT do it.
Also, change your T-Mobile password and make sure you never reuse passwords at any site.