A bug has caused T-Mobile website to readily share customer data to anyone on the internet.

ZDNet recently learned that a bug in T-Mobile’s website has allowed anyone to access personal account details of any customer using just the phone number of the customer. The problem may have already been fixed, but it has put a lot of customers at risk.

The bug was first discovered by security researcher Ryan Stevenson in early April. He found out that a hidden API in T-Mobile’s subdomain promotool.t-mobile.com — a “Customer Care Portal” for employees — has allowed anyone to access data of customers by appending their phones numbers to the end of the URL.

Of course, the API is for T-Mobile staff only. But since the website wasn’t protected with a password, anyone who had an ulterior motive was able to take advantage of this. So, again, T-Mobile has put its customers at risk.

The data that were leaked included a customer’s full name, postal address, billing account number. Some cases even included tax identification numbers. Other data that got exposed were information on whether a customer’s bill was past-due, or if the customer’s service was suspended.

What’s worse is that the bug also leaked references to account PINs used by customers as a security question when they contacted phone support. Such details could be used by anyone to hijack accounts.

T-Mobile has already addressed the issue. It terminated the API a day after Stevenson reported it. The security researcher was later awarded $1,000 in a bug bounty. Then a T-Mobile spokesperson released a statement in light of what happened.

“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure,” the spokesperson said. “The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”

Android Police pointed out that a similar bug was discovered last fall. At the time, T-Mobile said it addressed the problem within 24 hours of learning about the issue. However, it was found out that the bug had given hackers a few weeks to take advantage of the vulnerability.