Millions of customer account information were left unprotected and exposed after a T-Mobile web domain was left unsecured. Information like names, addresses, tax identification numbers, etc was left exposed and unprotected for anyone to access.
The unsecured website was in fact, designed as a customer care portal for employees. What was first reported as a security flaw here was later found throughout the search engines and also required no password to access the tools.
It was seen that if one simply added the customer’s phone number at the end of the web address, it resulted in the full name, postal address, billing account number, tax ID numbers, account PINs used to verify the account, and other account information. Details like when the bill was due, if the service was suspended, etc were easily available as well.
An unprotected API resulted in this cybersecurity flaw of the website. T-Mobile said that it immediately pulled the website offline and fixed the bug. A spokesperson from T-Mobile said that they don’t have any evidence regarding the misuse of the customer data. But one can never be certain about the possibilities of having information exposed.