The subdomain apparently had a hidden API that would surface personal details, so customer service reps couls look up subscribers' details. Problem was, it wasn't protected by a password. Bad actors can then use those details to reset people's email and bank passwords, among other things, by convincing customer service reps that they're the owner of those accounts.

T-Mobile already pulled the API offline after security researcher Ryan Stevenson, who was awarded $1,000 from the company's bug bounty program, reported it to the carrier. A spokesperson told ZDNet that "The bug was patched as soon as possible and [they] have no evidence that any customer information was accessed." It's worth noting, however, that the carrier said the same thing last year, but a hacker came forward and told Motherboard that "a bunch of SIM swapping kids" had been using it for quite a while. Hopefully, nobody other than Stevenson caught wind of this particular bug and used it for nefarious purposes.