Trump Mobile Website API Flaw Exposed Data of Over 27,000 Customers
A security researcher discovered an API vulnerability in the Trump Mobile website that leaked names, addresses, and order details of over 27,000 customers via simple POST requests.
A security researcher who goes by "Louis" has disclosed a now-patched API vulnerability in the Trump Mobile website that exposed the personal data of over 27,000 customers. The flaw, which required only a simple HTTP POST request to exploit, allowed access to names, addresses, phone numbers, and order details. Louis, a self-described "nerd between jobs," told The Register that the vulnerability was trivial to exploit: "It was a really simple HTTP request. POST, and then just asking for the info I wanted, basically."
The researcher discovered the issue while investigating the site's order volume. By examining API endpoints, he found that a basic POST request returned customer records. Each request returned ten records, each containing a customer number that could be used to iterate through the entire database. Within an hour, Louis extracted approximately 5,000 records before ceasing his activity. The types of data exposed included first and last names, primary and secondary addresses, email addresses, phone numbers, customer/account numbers, enrollment IDs (pre-order numbers), and whether the order was placed by phone or online.
After confirming the vulnerability and deleting all extracted data, Louis attempted to disclose the issue to Trump Mobile and other relevant parties but received no response. However, the vulnerability was silently fixed at some point. The Register also reached out to Trump Mobile for comment but received no reply. Out of options, Louis went public by contacting prominent YouTube creators Stephen "Coffeezilla" Findeisen and Charles "penguinz0" White Jr., whose videos on the findings have garnered millions of views.
The Trump Mobile brand, launched by President Trump's sons in June 2025, has faced multiple controversies. The flagship T1 smartphone, originally promised as a "Made in America" device, began shipping this week after delays. Recipients have confirmed that the T1 is merely a reskinned HTC U-24 Pro, a mid-range Android phone from Taiwanese manufacturer HTC. The device's American flag embossment also features only 11 stripes instead of 13. The company initially marketed the phones as American-made but later dropped that claim.
This data exposure adds to the brand's troubled launch. The T1, priced at $499, comes with 512GB storage, a 120Hz display, a Snapdragon 7 chip, and pre-installed Truth Social. While the vulnerability has been fixed, the incident raises concerns about the security practices of politically affiliated ventures and the handling of customer data. No CVE was assigned, and the exact timeline of the fix remains unclear.