A tech security engineer exposed a potentially serious flaw within the T-Mobile rewards program that lists all customer phone numbers. In a recent LinkedIn post, he showed a screenshot of this list appearing on a company promotions page.
Fellow customers expressed outrage at what they felt was an obvious breach of security among other issues with the carrier.
Free list of every T-Mobile customer phone number
Last week, Arctic Wolf security engineer Jake Ashton posted a screenshot from the promotions page of the T-Mobile website asking him to confirm his details. After he inputted his first and last name, it asked him to choose a number from a drop-down menu.
The list that appeared apparently included many phone numbers—far more than Ashton himself ever claimed. He did not like the implications.
“Hey T-Mobile, maybe practices like having all your customers phone numbers available in a selectable list, is why you keep getting hacked,” Ashton suggested. “Whose idea was this?”
Ashton later deleted the post after someone said their number was on the displayed list, but followed up with an explanation on how he produced and tested the results. Another individual—a non-customer—found the same thing. The engineer further said he contacted T-Mobile and was unimpressed with their response.
“I posted as I am a frustrated T-Mobile customer who gets a breach notification from them annually. All they have given me in return is Experian credit monitoring,” he wrote. “I want a cell phone provider that values my information and doesn’t take shortcuts.”
Ashton’s not far from the truth. The company suffered confirmed hacks nearly every year from 2015 to 2023. In June 2025, hackers claimed a T-Mobile breach in June that included over 64 million records.
“This was a needle-in-a-haystack scenario, and we deployed a fix over the weekend,” a T-Mobile spokesperson told the Daily Dot in an email.
The spokesperson added that the incident was “a very narrow edge condition that could only occur after converting a consumer account into a business account, in which an authenticated customer might have seen a limited list of other phone numbers associated with that same business account,” and that “no other customer data of any kind were visible, like names, usage details, billing information or other identifiable or personal information.”
“Is this why I keep getting spam calls?”
In a comment on Ashton’s new post, T-Mobile Sr. Director of Advanced Security Validation Division Chris Wallace commented to say they “were able to reproduce the authenticated portion of it and resolve that logic.” Though the company claimed they solved the problem, many customers remain upset.
Folks on X aired their frustrations with the company and its constant data security issues.
“T-Mobile had every customer’s phone number in a dropdown menu,” wrote @CamHustles. “No login required.”
“Bro what.”
“Is this why I keep getting spam calls @TMobile every f*cking day?!” asked @meenadgaf.
“As a @TMobile customer I’m looking forward to joining the class action lawsuit against them for this @FCC violation,” said @cryptoquick.
On Reddit, some on the T-Mobile sub disputed the idea that this was an issue at all. Commenters claimed Ashton must have been logged in and was only seeing his own phone numbers. However, the company responded in an X reply with a statement suggesting the security flaw was real, if limited.
“This was a very narrow edge condition that could only occur after converting a consumer account into a business account, in which an authenticated customer might have seen a limited list of other phone numbers associated with that same business account,” the account claimed. “We deployed a fix over the weekend.”
“This is what you get from a marketing company that sells technology,” quipped u/dr_octopi.
The internet is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s newsletter here.
