Up until last week, a T-Mobile website had a serious security hole that let hackers access user’s email addresses, accounts and a phone’s IMSI network code, according to a report from Motherboard. Attackers only needed your phone number to obtain the information, which could be used in social engineering attacks to commandeer your line, or worse.
The security research who discovered the hole, Karan Saini from startup Secure7, notes that anyone could have run a script to scrape the data of all 76 million T-Mobile users and create a searchable database. “That would effectively be classified as a very critical data breach, making every T-mobile cell phone owner a victim,” he told Motherboard.
T-Mobile said in a statement that “we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly.” Saini notes that T-Mobile offered him a $1,000 reward as part of its bug bounty program.
A bunch of SIM swapping kids had [the hack] and used it for quite a while.
However, an anonymous hacker disputes T-Mobile’s claim that the bug wasn’t shared broadly, telling Motherboard that “a bunch of SIM swapping kids had [the hack] and used it for quite a while.” They could have exploited the data to “socially engineer,” or basically con, T-Mobile technicians into handing over replacement SIMs by pretending they’re the owners of the line. Motherboard also discovered a YouTube video dated August 6th that describes exactly how to execute the hack.
In fact, this is exactly what happened to Techcrunch writer John Biggs on August 22nd. After impersonating him and obtaining a replacement for his T-Mobile SIM, a hacker was able to quickly change his Gmail, Facebook, and other passwords, even though they were protected by two-factor SMS authentication.
It’s impossible to say whether the security hole helped the hackers swindle hapless T-Mobile tech support employees into sending them replacement SIMs, but it certainly appears plausible. (Tech support folks are supposed to require security question responses, invoices and other information, but often hand over SIMs to smooth-talking hackers without it.) We’ve reached out to T-Mobile and the FCC to find out if there was an uptick in such attacks over the last few months.