A bug in T-Mobile's wsg.t-mobile.com API may have allowed attackers to access customer data that can be used to carry out phishing attacks or worse.
The flaw only required an attacker to know or guess a victim's phone number to grant access to information including billing account numbers, email addresses, and phone IMSI.
The vulnerability was discovered by Secure7 Founder Karan Saini who told Vice's Motherboard that an attacker could have had access to the information of all 76 million customers.
"That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," Saini said. T-Mobile denied the claims and told the publication the issue only affected a small number of customers.
Saini was offered a £760 (US$ 1,000) reward for his discovery as part of the cellular provider's bug bounty programme. An anonymous hacker claims the bug was exploited in the last few weeks and has posted a tutorial of the exploit on YouTube and even reportedly sent the Vice reporter their own account information obtained via the exploit.