A security researcher found a potentially damaging vulnerability on T-Mobile’s company website

 

The vulnerability found on T-Mobile’s company website last December was just revealed this week. The bug was so severe that hackers could have easily hijacked and taken control of customer accounts.

The flaw on their website allowed hackers to log into T-Mobile accounts as any customer because T-Mobile left logs of customer logins exposed on the internet, and that allowed anyone that knew where to look to steal their session cookies.

T-Mobile acted swiftly upon receiving the news that the bug existed and sent out a critical patch within a day of receiving the tip. T-Mobile has stated that no customer accounts were compromised, though the length of time the vulnerability was accessible has not been disclosed.

Of course, in October 2017, T-Mobile also had a security issue where they reported another flaw that let hackers access customers’ sensitive information. In that incident, hackers were able to obtain email addresses, billing account numbers and the phone’s unique customer identification number or IMSI.

Since that attack, scammers have been actively targeting T-Mobile customers by hijacking their phone numbers and even stealing money from bank accounts they have linked to their phone numbers.

The scam is fairly simple. All the criminal needs to do is to contact T-Mobile and pretend to be you. That’s not difficult with all of that sensitive data that they obtained. They have the customer service representative issue a new SIM card for your number and as soon as the criminal activates it they take control of your phone number.

Since phone numbers are a common password recovery option for forgotten passwords, the scammers may have easy access to your email account, social media accounts, and even bank accounts.

While there’s not a lot you could do to avoid this hack from potentially affecting your account, it’s important to monitor your accounts to keep an eye out for anything suspicious and to change your passwords frequently. The businesses that have your sensitive information should be keeping it under wraps, but often times fail to do so, so don’t rely on anyone else keeping you safe. Make sure you stay on your toes.