Clark Howard

T-Mobile website data breach exposed customer addresses, PINs

T-Mobile may bill itself as the “Un-carrier” because it bucks customer-unfriendly practices in the wireless industry, but it looks like they’re not so different than other companies when it comes to data breaches.

According to an exclusive ZDNet report, a website bug on T-Mobile.com allowed anyone with access to a web browser to run a phone number and determine the home address and account PIN of the customer to whom it belonged.

RELATED: T-Mobile/Sprint merger deal: Here's what it could mean for you

A look inside the T-Mobile data breach

Security researcher Ryan Stevenson is credited with discovering an exploit on the T-Mobile website that allowed a subdomain used by employees to look up personal account details to be broadly exposed to anyone.

At the center of this T-Mobile data breach is a thinly hidden tool, located at https://promotool.t-mobile.com/, that did not require password protection.

It therefore allowed people to access the following info easily by attaching a cell phone number to the end of the web address:

  • Customers' full names
  • Their mailing addresses
  • Account PINs used as a security question for customer service phone support
  • Billing account numbers
  • Past due bill notices
  • Service suspension notices
  • Tax identification numbers (in some instances)

Unfortunately, the subdomain was highly discoverable by Google and other search engines, which is tantamount to broadcasting your private info to anyone with access to a web browser.

That bit about account PINs for security purposes being exposed is particularly dangerous. Such info could play a key role in what's called 'SIM hijacking,' where criminals outsmart the safety design of two-factor authentication to take control of your financial accounts.

The basic idea with SIM hijacking is that a crook who has your account PIN or other identifying info can call your wireless carrier and impersonate you. Then they can convince the customer rep to issue a new SIM card for your phone number, which they can activate to take control of your number.

We've got a full report on the dangers of SIM hijacking and how you can protect yourself right here.

Meanwhile, research done by ZDNet indicates that this T-Mobile.com web data breach was likely active as far back as October of last year. Thankfully, T-Mobile shut it down last month the day after Stevenson — acting as a “white hat” hacker and claiming a $1,000 bug bounty — informed the company of the exploit.

In other news, T-Mobile is currently courting Sprint in an effort to merge and reduce the wireless industry from four big players to only three.

And though T-Mobile promises the proposed $26 billion merger will lower wireless prices, money expert Clark Howard thinks of otherwise. His opinion is based on historical precedent in other countries where the market contracted from four players down to three.

Here are five of the likeliest impacts consumers will face if the merger goes through.

More cell phone stories on Clark.com: