For the second time this week, a company has been found to have accidentally exposed customer data to virtually anyone. Following TeenSafe's incident, it seems that it's now T-Mobile who has left information unprotected due to a bug. The flaw was discovered in April by security researcher Ryan Stevenson.
The information was exposed through a portal hosted on a T-Mobile subdomain that could be found using search engines such as Google. According to a report by ZDNet, the page is meant for use by T-Mobile employees and it contained a hidden API that allowed them to look up customer information by simply adding the customer's phone number at the end of the web address.
The problem is the site wasn't protected by a password, and anyone who stumbled upon the webpage could have obtained customer data, including their address, full name, billing account number, tax ID number, and even account PINs which are used by customers when contacting phone support.
After the bug was reported, T-Mobile fixed the problem and the website now requires visitors to sign in. The company also rewarded Stevenson with $1,000 as part of its bounty program, saying:
The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure.
The company also says that it has no evidence that customer data was stolen via this portal, though history has shown that the scale of these incidents is sometimes not immediately clear.