This is according to a report from Motherboard in which security research Karan Saini had discovered the flaw. According to Saini, “T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users.”
This flaw is said to be similar to what Andrew Auernheimer did several years ago when he performed a similar attack on AT&T’s website to obtain the email addresses of over 100,000 iPad users. It is unclear how many customers might have been affected by this particular flaw, but T-Mobile claims that it has only impacted a small part of their customers.
T-Mobile also issued a statement that reads, “We resolved the vulnerability that was reported to us by the researcher in less than 24 hours and we have confirmed that we have shut down all known ways to exploit it. As of this time we’ve found no evidence of customer accounts affected as a result of this vulnerability.”