Motherboard: Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years. “Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard from a company called CerCareOne, a now-defunct location data seller that operated until 2017. The documents list not only the companies that had access to the data, but specific phone numbers that were pinged by those companies.”
The Register: AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don’t believe them. “US cellphone networks have promised – again – that they will stop selling records of their subscribers’ whereabouts to anyone willing to cough up cash.” I don’t believe them either.
Motherboard: I Gave a Bounty Hunter $300. Then He Located Our Phone. “T-Mobile, Sprint, and AT&T are selling access to their customers’ location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country.”
Engadget: Hackers gain access to millions of T-Mobile customer details. “T-Mobile has fallen foul of yet another cybersecurity issue. In a statement released this week the company said that an unauthorized entry into its network may have given hackers access to customer records, including billing ZIP codes, phone numbers, email addresses and account numbers. According to T-Mobile, the intrusion was quickly shut down, and no financial data, social security numbers or passwords were compromised.”
ZDNet: T-Mobile bug let anyone see any customer’s account details. “A bug in T-Mobile’s website let anyone access the personal account details of any customer with just their cell phone number. The flaw, since fixed, could have been exploited by anyone who knew where to look — a little-known T-Mobile subdomain that staff use as a customer care portal to access the company’s internal tools. The subdomain — promotool.t-mobile.com, which can be easily found on search engines — contained a hidden API that would return T-Mobile customer data simply by adding the customer’s cell phone number to the end of the web address.”
Motherboard: ‘Critical’ T-Mobile Bug Allowed Hackers To Hijack Users’ Accounts. “Hackers could have hijacked and taken control of T-Mobile’s customer accounts thanks to a severe bug on the company’s website. The vulnerability was found and reported by a security researcher on December 19 of last year, but it hasn’t been revealed until now. Within a day, T-Mobile classified it as ‘critical,’ patched the bug, and gave the researcher a $5,000 reward. That’s good news, but it’s unclear how long the site was vulnerable and whether any malicious hackers found and exploited the bug before it was fixed.”
Motherboard: T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number. “Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer’s T-Mobile account number, and the phone’s IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug.”