Update: T-Mobile provided us a statement on the situation.
There was no cyberattack or breach at T-Mobile. This was a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved.
T-Mobile
We’ve updated our coverage below to reflect this information.
The official T-Mobile app’s “Bill” tab was showing customers other people’s information than their own overnight, and giving full access to the bill page and profile settings.
Reports began coming in at around 3:00 AM Eastern, and the issue appeared fixed around 6:00 AM, though there are still a few reports of the issue still existing.
It seems a limited set of less than 100 accounts were appearing to numerous users. Multiple users online have said they were seeing the same alternate account as others.
In addition, and more worryingly, not only did the app show current bill due, and names of each line holder, but the profile page in the “More” tab showed full address and all payment methods added to the account.
The billing addresses were changed on these accounts numerous times in the hours during the app bug. Many payments were made on these accounts as well. This was likely done by users unaware they were changing someone else’s account.
Overall, names, phone numbers, addresses, email addresses, and last four of card details and bank accounts appear to all have been exposed. Profile settings like Caller ID names, paperless billing settings, and media options like HD video were all accessible and changeable.
Multiple users on Reddit have shared that the issue has happened to them, and they are seeing other people’s accounts. For security reasons, the moderators of the subreddit have removed these posts.
The best case scenario would have been that these accounts are internal test accounts, and not actual customer accounts. However, T-Mobile has confirmed these were a limited set of real accounts. Those accounts have mistakenly had real cards linked and payments made in error, which T-Mobile will have to reverse.
It’s currently unclear what, if any, restitution T-Mobile will offer these limited number of affected customers.
This latest example of leaked customer data comes on the heels of T-Mobile removing the autopay discount benefit for customers who pay with credit cards. It’s yet another example of why customers were so upset they’d have to link debit or bank account information. It’s also the second breach of data this year, though nowhere near as many people are affected this time around.
We here at The Mobile Report consider this issue extremely severe, and we have waited to publish this information until we were reasonably confident the issue was no longer active.
When we initially learned of this issue, we contacted T-Mobile Media Relations. We received a response that said “We’re looking into this”. Since then, bill pages now appear to be working as expected, and we’ve confirmed with numerous other customers that they are also now only seeing their own information. T-Mobile then later offered the statement provided above.
Clearly in this case there was no malicious intent. That being said, such an issue shouldn’t have been possible, and safeguards should be in place to prevent this happening. Hopefully T-Mobile has learned exactly what happened and can prevent it from occurring in the future.
