Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers

by

A security flaw in Apple's online store exposed the account PINs of more than 72 million T-Mobile customers, reports BuzzFeed News.

The vulnerability was discovered by security researchers Phobia and Nicholas "Convict" Ceraolo, who also found a similar flaw in the website for phone insurance company Asurion that exposed AT&T account PINs.

Both Apple and Asurion fixed the website flaws that left the PINs vulnerable after learning about them from BuzzFeed News. Apple opted not to provide further comment on the situation, but told BuzzFeed News that it is "very grateful to the researchers who found the flaw."

tmobileapplepage

The page on Apple's site that let hackers brute force PINs, via BuzzFeed News

PINs, or passcodes, are numbers that are used as an additional account security measure by many carriers in the United States. Mobile device PINs are typically a last line of defense for a cellular account as both carrier websites and support staff will ask for the PIN for confirmation before making account changes.

SIM hacking, which uses social engineering to get carrier support staff to transfer a person's phone number to a new SIM, has become increasingly prevalent due to the number of accounts (bank, email, social media, etc.) that are tied to a person's phone number. A PIN is used as a defense mechanism against SIM hacking, which means exposed PINs can be particularly dangerous.

Accessing the T-Mobile PINs on Apple's website involved a brute force attack where a hacker used software to input multiple different numeric combinations to guess the proper one.

As BuzzFeed News explains, after initiating a T-Mobile iPhone purchase on the Apple online store and selecting monthly payment options through T-Mobile, Apple's site directs users to an authentication form asking for a T-Mobile number and account PIN or last four digits of a social security number (which most carriers use in place of a PIN when one has not been set).

The page allowed for infinite entry attempts into the PIN field, enabling the brute force attack that let hackers guess PINs associated with a T-Mobile phone number.

The security vulnerability appears to have been limited to T-Mobile accounts, as the same validation page for other carriers on Apple's site uses a rate limit that locks access to the form for 60 minutes after five to 10 incorrect entries. Given that the other carrier pages had rate limiting enabled, it's likely Apple made an error on the T-Mobile page.

According to Ceraolo, the vulnerability is likely due to an engineering mistake made when connecting T-Mobile's account validation API to Apple's website.

A similar vulnerability on Asurion's website exposed an unspecified number of AT&T account PINs. An AT&T spokesperson said that it is working with Asurion to investigate the issue and will "take any additional action that may be appropriate."

A phone number was required for both of these attacks, limiting the number of people who may have been impacted, but AT&T and T-Mobile customers who are concerned about their account safety should choose a new PIN.

Tags: AT&T, T-Mobile

Popular Stories

iOS 26

When Will Apple Release iOS 26.2?

Monday December 1, 2025 4:37 pm PST by
We're getting closer to the launch of the final major iOS update of the year, with Apple set to release iOS 26.2 in December. We've had three betas so far and are expecting a fourth beta or a release candidate this week, so a launch could follow as soon as next week. Past Launch Dates Apple's past iOS x.2 updates from the last few years have all happened right around the middle of the...
Read Full Article25 comments
maxresdefault

iPhone Fold: Launch, Pricing, and What to Expect From Apple's Foldable

Monday December 1, 2025 3:00 am PST by
Apple is expected to launch a new foldable iPhone next year, based on multiple rumors and credible sources. The long-awaited device has been rumored for years now, but signs increasingly suggest that 2026 could indeed be the year that Apple releases its first foldable device. Subscribe to the MacRumors YouTube channel for more videos. Below, we've collated an updated set of key details that ...
Read Full Article49 comments
Sad Siri Feature

Apple AI Chief John Giannandrea Retiring After Siri Delays

Monday December 1, 2025 2:16 pm PST by
Apple AI chief John Giannandrea is stepping down from his position and retiring in spring 2026, Apple announced today. Giannandrea will serve as an advisor between now and 2026, with former Microsoft AI researcher Amar Subramanya set to take over as vice president of AI. Subramanya will report to Apple engineering chief Craig Federighi, and will lead Apple Foundation Models, ML research, and ...
Read Full Article98 comments
Netflix Smaller 4

Netflix Kills Casting From Its Mobile App to Most Modern TVs

Monday December 1, 2025 4:36 am PST by
Netflix has quietly removed the ability to cast content from its mobile apps to most modern TVs and streaming devices, including newer Chromecast models and the Google TV Streamer. The change was first spotted by users on Reddit and confirmed in an updated Netflix support page (via Android Authority), which now states that the streaming service no longer supports casting from mobile devices...
Read Full Article109 comments
ios 18 to ios 26 upgrade

Apple Pushes iPhone Users Still on iOS 18 to Upgrade to iOS 26

Tuesday December 2, 2025 11:09 am PST by
Apple is encouraging iPhone users who are still running iOS 18 to upgrade to iOS 26 by making the iOS 26 software upgrade option more prominent. Since iOS 26 launched in September, it has been displayed as an optional upgrade at the bottom of the Software Update interface in the Settings app. iOS 18 has been the default operating system option, and users running iOS 18 have seen iOS 18...
Read Full Article255 comments
Touchscreen MacBook Feature

Here Are the Four MacBooks Apple Is Expected to Launch Next Year

Monday December 1, 2025 5:00 am PST by
2026 could be a bumper year for Apple's Mac lineup, with the company expected to announce as many as four separate MacBook launches. Rumors suggest Apple will court both ends of the consumer spectrum, with more affordable options for students and feature-rich premium lines for users that seek the highest specifications from a laptop. Below is a breakdown of what we're expecting over the next ...
Read Full Article55 comments
iphone 17 cyber

iPhone 17 Demand Is Breaking Apple's Sales Records

Tuesday December 2, 2025 9:44 am PST by
Apple's iPhone 17 lineup is selling well enough that Apple is on track to ship more than 247.4 million total iPhones in 2025, according to a new report from IDC. Total 2025 shipments are forecast to grow 6.1 percent year over year due to iPhone 17 demand and increased sales in China, a major market for Apple. Overall worldwide smartphone shipments across Android and iOS are forecast to...
Read Full Article128 comments
Cyber Week Deals 2025

Best Cyber Week Apple Deals Include Big Discounts on AirPods, Apple Watch, and More

Sunday November 30, 2025 7:33 am PST by
Cyber Week is here, and you can find popular Apple products like AirPods, iPad, Apple Watch, and more at all-time low prices. In this article, the majority of the discounts will be found on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Specifically,...
Read Full Article13 comments
iOS 26

What to Expect From Apple This December: iOS 26.3 Beta, Replay 2025, and More

Monday December 1, 2025 8:40 am PST by
The calendar has turned to December, and the quieter year-end holiday season is now upon us. Nevertheless, we can still expect a few things from Apple this month. Apple previously announced that iOS 26.2 will be released to the general public in December, and we can expect corresponding updates to be released as well, including iPadOS 26.2, macOS 26.2, watchOS 26.2, tvOS 26.2, and visionOS...
Read Full Article17 comments
studio display purple february

M5 iPad Pro Could Hint at New Studio Display Feature

Sunday November 30, 2025 10:30 am PST by
The updated specs of the M5 iPad Pro may point toward a major new feature for Apple's next-generation Studio Display expected in early 2026. Apple's latest iPad Pro debuted last month and contains one display-related change that stands out: it can now drive external monitors at up to 120Hz with Adaptive Sync. The feature should deliver lower latency, smoother motion, and fewer visual...
Read Full Article49 comments

Top Rated Comments

mistasopz Avatar
mistasopz
95 months ago
But forum members told me that Apple had the best security. Well except for those times when they didn't. Like the root password gate where you didn't have to put a password in to gain root access.
Score: 41 Votes (Like | Disagree)
RoobyRoobyRoo Avatar
RoobyRoobyRoo
95 months ago
But forum members told me that Apple had the best security. Well except for those times when they didn't. Like the root password gate where you didn't have to put a password in to gain root access.
Having the best security =/= flawless security. No tech company is completely flawless. But go ahead and chastise Apple for not being absolutely perfect, because that's so productive.
Score: 24 Votes (Like | Disagree)
Doctor Q Avatar
Doctor Q
95 months ago
Four digits isn't a very long PIN. Even if the software now locks access to the form for 60 minutes after five to 10 incorrect entries, it doesn't block the exploit, just slow it down.

It seems to me that a bot could try 10 guesses for one phone number, which would lock the form for that phone number, then immediately switch to another phone number. If the phone number is locked for the IP address, it could use another IP address too.

If so, let's try a little math here: Rather than a bot trying one phone number and 10,000 different PINs in rapid succession to break it, it could try five to ten PINs for every phone number it's working on in the first hour, then try another five to ten PINs for every phone number in the second hour, and so on. In as few as 42 days it could crack every phone number. If it was trying to crack 10,000 phone numbers, it would succeed on an average of 238 phone numbers per day. That's still pretty vulnerable.
Score: 17 Votes (Like | Disagree)
mi7chy Avatar
mi7chy
95 months ago
Apple don't care about security because even after several security incidents customers are brain washed into thinking Apple is flawless.
Score: 10 Votes (Like | Disagree)
zakarhino Avatar
zakarhino
95 months ago
Security issue after security issue for T-Mobile and many carriers in general. Remember when T-Mo Germany said they don't need to salt their passwords because their security is "that good"? Or when it was discovered that it's very easy to get access to a T-Mo account AND clone people's sims because T-Mo doesn't have very good security practices beyond asking for the last 4 of your SSN? I've heard stories of people phoning up carriers under the guise of being a store employee and they get access to all sorts of information without thorough identity verification!

I know Apple are the guys that purportedly screwed up here but when you look at T-Mobile's security in general, it doesn't have a very good track record, it should have never been possible for the Tmo verification API to allow unlimited requests without a time limit. These carriers need to seriously update their security practices. Just accepting the last 4 digits of your social security number is no longer a viable option.
Score: 8 Votes (Like | Disagree)
nvmls Avatar
nvmls
95 months ago
Squeeze that privacy/security coin Timo!
Score: 6 Votes (Like | Disagree)
Read All Comments