Protecting your sensitive data seems to be more difficult than ever. More often than not, it’s not your fault that your data has been breached and in most instances, the companies themselves are responsible due to unsecured websites and bugs in their software.
Massive data breaches like the one at Equifax that we learned about last year aren’t helping matters. Critical data like your Social Security number, name, phone number, date of birth and more was exposed in that breach.
Now, it looks like another major bad oversight from a major phone carrier may just have exposed the personal details of millions of its customers.
This online tool exposed personal details
A bug in a T-Mobile online tool may have allowed anyone to access the personal details of millions of subscribers with just their cellphone number.
Details include full names, postal addresses, billing account numbers, and in some cases, even tax identification numbers and account PINs used for customer support.
The bug was publicly revealed by security researcher Ryan Stephenson, who first reported it to T-Mobile in early April via the carrier’s bug bounty program.
T-Mobile took the tool offline a day after the report and Stephenson was awarded $1,000 for his efforts.
What was the bug?
According to ZDNet, the bug affected an internal customer care portal used by T-Mobile’s employees to access internal tools and look up customer account details.
The problem? The tool was not password protected and it can be used by anyone who knew where to look.
Apparently, the tool’s subdomain, “promotool.t-mobile.com,” is easily searchable online and it had a hidden interface that allowed anyone to view T-Mobile customer data by simply adding their phone number to the end of the web address.
A T-Mobile representative said that “the bug was patched as soon as possible and [they] have no evidence that any customer information was accessed.” But how can they be so sure?
Although the flaw is now fixed and the tool is now offline, no one knows how long the tool was publicly accessible nor the extent of data that may have been stolen.
This sensitive data can then be used by hackers and identity thieves to reset passwords to your other accounts, change account settings and worse, set up port-out or SIM card scams.
Watch out for port-out scams
A port-out scam is a clever scheme for identity thieves to not only get into your online accounts but to drain your bank accounts too by intercepting your text-based two-factor authentication codes.
Using your personal information (like the data that’s included in this current breach), criminals will contact your carrier pretending to be you, and tell them that you’re switching to another carrier but want to keep your phone number.
However, during the transition, both phones could be functional. During this window of opportunity, a scammer can have access to all of your text-based authentication codes too.
Meaning, any text messages that you receive on your phone will also be seen by the scammer on the phone to which your number is being transferred.
IN OTHER NEWS, HERE’S HOW TO PROTECT YOURSELF FROM THE LATEST ROUTER MALWARE ATTACK
A new router malware called VPNFilter has been spotted and it has already infiltrated half a million routers in dozens of countries, including the U.S. Click here for steps on how to remove VPNFilter and ways to protect yourself from future attacks.