T-Mobile has been contacting hundreds of customers since 10th October after a bug on their website leaked personal data (email address, account number and IMSI number).
Hackers had known about the vulnerability since at least August 6, when a researcher by the name of Moim uploaded a tutorial on YouTube on how to exploit the vulnerability.
The hackers use this information to order a duplicate SIM card and then target the bank accounts or email accounts that use that phone number for two-factor authentication via callback or SMS.
T-Mobile suggests changing the online account password, and set-up a SIM Lock forcing stronger controls when someone tries to order a new or duplicate SIM card for a customer’s phone number.
If you were targeted by hackers taking advantage of this bug, T-Mobile should’ve called you. But if you’re worried someone might target you in the future in a similar way, the company recommends setting up a phone password or passhprase that is only requested when you call T-Mobile support on the phone and is separate and different from the one you use for your online account. This, just like the SIM Lock, adds another layer of security and makes it harder for hackers to hijack your phone number.