Affiliate links on Android Authority may earn us a commission.Learn more.

Hackers may have accessed data of millions of T-Mobile customers

June 22, 2025

The research, Karan Saini of security startupSecure7toldMotherboard,

This obviously has majorsecurity implications. Saini even went as far as to classify it as a “very critical data breach” where “every T-Mobile cell phone owner (is) a victim”. Using this information, it could be easier than ever to socially engineer access to your account.

Earlier this year, several well-known YouTuberswere hacked via social engineering. Hackers called T-Mobile’s customer care with just enough information to get reps to issue a new SIM card number for the target’s phone number. The hacker would then insert that SIM card into their own phone and hijack the YouTuber’s phone number. All of their calls and text messages would then go to the hacker. This has severe security implications since so many services use text messages fortwo-factor authentication.

This specific bug was within a T-Mobile API. When querying a phone number, Saini says that the system would return a response will all of the account information associated with it. To its credit,T-Mobilesays it patched the bug within 24 hours of being notified. It also disputes Saini’s claim that all T-Mobile customers were vulnerable. T-Mobile says that only a small part of its customers were affected and there’s no indication that the exploit was shared more broadly.

A blackhat hacker is throwing water on that claim. AfterMotherboardfirst published its story, the hacker contacted the author to inform them that the exploit had been widely used in the weeks running up to it being patched. The hacker even passed along the author’s account details to them to prove its claim. When contacted about the hacker’s claim, T-Mobile responded with the following statement:

Regardless of how many customers were affected or how much information was obtained, we suggestT-Mobilecustomers take steps to protect themselves. The account holder can add a password to the account and prevent things like issuing new SIM card numbers or adding lines to an account. In light of recent events, that doesn’t seem like the worst idea.

Thank you for being part of our community. Read ourComment Policybefore posting.