Image: Thom Holmes (unsplash)
T-Mobile users recently reported encountering an issue within the company’s official mobile application where they were privy to the account details of other customers. Via social media platforms, users expressed concerns about having access to a plethora of information including names, phone numbers, addresses, outstanding account balances, and even partial credit card details.
Esteemed media outlet, The Verge, was one of the first to spotlight the occurrence, revealing that some customers found themselves accessing sensitive data of not just one, but several other users, all while being logged into their personal accounts.
Numerous users took to platforms like Reddit and Twitter to share their experiences. While the majority raised the alarm today, there were several who mentioned having encountered this anomaly for the past two weeks.
One aggrieved customer highlighted their attempt to bring this to T-Mobile’s attention over a fortnight ago, including providing evidence to the security team, but to no avail. Another customer recounted previous issues with the company, emphasizing other instances where they felt service was subpar.
T-Mobile has been prompt in clarifying that the recent mishap was not the result of a cyberattack. They firmly stated that their systems remained uncompromised. Further, the company sought to put the issue into perspective by explaining that the incident’s scope was minimal, with fewer than 100 customers being affected.
BleepingComputer reached out to T-Mobile, to which a representative elaborated, “The incident was the result of a temporary system glitch, which occurred during a scheduled overnight tech upgrade. This affected the account information of a very limited number of customers and was swiftly rectified.”
T-Mobile’s Security Record in Recent Years:
This isn’t the first time the telecommunication giant has been in the limelight for data-related concerns. As of May, T-Mobile had already reported two data breaches for the year. Earlier in the year, the details of hundreds of customers were laid bare due to a system infiltration. Later, in January, a significant chunk of their clientele, around 37 million to be precise, fell victim to another breach involving one of the company’s Application Programming Interfaces (APIs).
A retrospective look into T-Mobile’s past reveals more such incidents:
- In 2018, data from approximately 3% of their customer base was accessed by external parties.
- The following year saw an undisclosed number of prepaid customer details being exposed.
- 2020 had two major incidents: In March, employees’ data was jeopardized. Then, in December, customer proprietary network data was accessed.
- 2021 witnessed two breaches: In February, an internal app was accessed without authorization, and later in August, there was a breach due to a testing environment vulnerability.
- By April 2022, the infamous Lapsus$ group made headlines by using stolen credentials to penetrate T-Mobile’s defenses.