Security researchers discovered a security flaw in the website of T-Mobile US' (NYSE:TMUS) MetroPCS prepaid brand that could have allowed digital thieves to steal customers' home address, type of plan and even their phone's model and serial number.
According to Motherboard, which first reported on the news, the flaw was in the MetroPCS payment page and required only knowing a customer's phone number. Motherboard alerted T-Mobile about the flaw on Oct. 22 and the carrier said it was fixed quickly.
Importantly, the report said that there is no evidence that anyone found the flaw on MetroPCS' website and accessed customers' personal information. Security researchers Eric Taylor and Blake Welsh, who both work at secure payments firm Cinder, found the bug in mid-October.
"It's a pretty nasty bug," HD Moore, a well-known security researcher who works at Rapid7 and who reviewed Taylor's research, told Motherboard. "It seems like a serious privacy exposure."
In theory, a hacker could have written a piece of code that could have tried to steal potentially millions of customers' information, according to security researchers contacted by Motherboard.
A T-Mobile spokesperson told Motherboard the company appreciates "responsible disclosure from you and the researcher," but declined to comment any further.
Taylor and Welsh have found similar flaws in other websites in recent months, the report said, and earlier this year they disclosed that hackers could impersonate customers of Verizon (NYSE: VZ) and Charter Communications taking advantage of flaws in the companies' websites.
The report comes less than two months after credit card data firm Experian disclosed last month that the personal information of around 15 million people who applied for T-Mobile's postpaid or device financing services had been hacked.
- see this Motherboard article
Experian faces class actions following T-Mobile customer data breach
Report: T-Mobile customer data from Experian breach may already be up for sale
T-Mobile data breach: Hacker steals names, birthdates, Social Security numbers and more from 15M people
Apple removes apps affected by 'XcodeGhost' malware after App Store is hacked