Originally posted on Slash Gear on May 24, 2018 by Brittany A. Roston.

One of T-Mobile’s websites left a tool exposed that let anyone look up personal account data on the carrier’s customers, it has been revealed. Users only required the customer’s phone number to retrieve the information, leaving many people vulnerable to data theft. The issue has since been fixed, but it’s unclear how many customers may have been impacted by it.

The issue was discovered in April by security researcher Ryan Stevenson, according to ZDNet, which states that T-Mobile removed access to the tool a day after being notified. Stevenson was awarded $1,000 under the carrier’s bug bounty program.

A subdomain called promotool.t-mobile.com was the source of the data exposure. According to the report, it appears the domain was intended for T-Mobile workers to access customer information during the course of their job. However, it could be discovered using search engines, providing anyone who found it with potential access to any customer’s data.

When visiting the promo tool domain now, visitors are presented with a simple “Customer Care Portal” note and a “Sign In” link. Only those with credentials can sign in to use the portal. Unfortunately, it left a large amount of data exposed.

According to ZDNet, before being fixed, the customer care portal provided information that included things like tax ID numbers, the customer’s complete name, account number, address, service and bill payment status, and possibly even account PINs. This isn’t the first time T-Mobile has left customer info exposed. Late last year, Motherboard discovered a similar bug that let hackers access account information using only the customer’s phone number.


The Hannon Law Firm can help if your personal, confidential information has been breached by hackers. The Hannon Law Firm is currently serving as liaison counsel in the National Chipotle Data Breach class action. HLF filed the only class action against Equifax in the State of Colorado for the breach of 143 million American’s personal information. We proudly serve clients nationally.

If you believe you’ve been affected by the T-Mobile’s data breach, we are here to help. You can call our office at 303-861-8800 or fill out the form below.