Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 24, 2026 · 9 min read

A Self Taught Tinkerer Walked Out With 5,000 Trump Mobile Customer Records in One Hour—and the Whole 27,000 Customer Database Was One More Loop Away From Being Public

A browser console, a one line POST request, and a loop over customer IDs. That is the entire technical inventory of the May 22 Trump Mobile leak. Names, addresses, emails, phone numbers, and order IDs for the President's branded phone service were sitting behind an API endpoint with no authentication and no rate limit. Trump Mobile has not commented.

A gold cased smartphone lying on a black desk with abstract blue data fields overlaying the screen, representing customer records exposed through an unauthenticated API endpoint

Key Takeaways

  • The Trump Mobile website exposed an unauthenticated API endpoint that returned ten customer records per request, indexed by sequential customer number.
  • A self described "self taught tech tinkerer" using the alias Louis retrieved about 5,000 records in one hour by looping the endpoint from his browser console.
  • Roughly 27,000 customers' first and last names, primary and secondary mailing addresses, email addresses, phone numbers, customer numbers, and pre order enrollment IDs were inside the exposed dataset.
  • Payment data and Social Security numbers were not in the leaked records, according to the researcher's testing.
  • Trump Mobile did not respond to disclosure attempts or media questions; the endpoint appears to have been silently patched.

What Is Trump Mobile?

Trump Mobile is the cellular and smartphone brand launched by the Trump Organization in June 2025. Its flagship product is the T1, a $499 gold cased Android phone with Truth Social preinstalled. Hardware investigators identified the device as a rebadged HTC U-24 Pro—HTC's mid range Snapdragon 7 Gen 3 model—wrapped in a gold tinted shell. The cellular service rides on top of an existing US mobile network as an MVNO, with Trump Mobile handling the customer relationship, billing, and the website that the leak happened through.

The phone began shipping the same week the data leak was disclosed, almost a year after pre orders opened. The customers in the exposed dataset are largely people who placed those pre orders.

How Did the Data Get Out?

The researcher who goes by the name Louis described the entire vector in one sentence to The Register on May 22: "It was as easy as going to the website and writing a very simple HTTP POST request into the console." The endpoint accepted a request containing a customer number, returned a JSON array of ten customer records, and did not require any authentication token, session cookie, or API key.

Louis ran the request once to confirm the shape of the response, then wrote a short loop in his browser's developer console that incremented the customer number and concatenated the results. Within an hour he had pulled approximately 5,000 records. The total dataset, judging by the highest customer number he reached, contained roughly 27,000 entries—every pre order Trump Mobile had taken since June 2025.

There was no rate limiting on the endpoint. No CAPTCHA. No anomaly detection from the application layer. The server happily returned ten records per request until Louis decided he had seen enough.

What Data Was Exposed?

Each record contained the following fields:

  • Customer first and last name
  • Primary mailing address
  • Secondary mailing address (some accounts had one, many did not)
  • Email address
  • Phone number
  • Internal customer account number
  • Enrollment ID—the pre order tracking number assigned at checkout
  • Order channel—whether the order was placed online or by phone

Payment card data and Social Security numbers were not in the records the endpoint returned. The Register's analysis suggests those fields are held in a separate database not reachable through this particular endpoint. That is a meaningful distinction for victim notification rules but a thin consolation for the 27,000 people whose home address now sits alongside their email address in a downloadable JSON file.

Why an Address Plus an Email Is a Phishing Goldmine

The Trump Mobile leak is not, in itself, the worst breach of 2026. It does not contain financial data. It does not contain government identifiers. What makes it valuable to attackers is the combination of fields, not any single field. A person's first name, last name, home address, and email address—in a single row—is the raw material for highly targeted phishing.

A phishing email that addresses the recipient by name, references their actual home address, and asks them to confirm shipping details on an order they actually placed is far more likely to clear the recipient's skepticism than a generic spam blast. The Trump Mobile dataset is particularly well suited for this because the customers are largely loyal supporters who pre ordered a product months in advance, are emotionally invested in the brand, and are now—as of May 22—waiting for delivery confirmation. A shipping confirmation phish landing in their Gmail this week is going to have an excellent open rate.

The next problem is that this data is essentially permanent. Home addresses do not rotate. Email addresses rotate slowly. Phone numbers rotate slowly. The dataset will retain phishing value for years after Trump Mobile patches the endpoint, because there is no way to put it back. Anyone who has ever ordered a T1 should expect to receive a sharper class of phishing email for the foreseeable future.

Trump Mobile's Silence

The researcher attempted to disclose the vulnerability through Trump Mobile's listed support channels before going to the press. He received no acknowledgment. Trump Mobile also declined to respond to The Register's questions. The endpoint itself appears to have been quietly patched in the hours after publication, but no public statement, customer notification, or apology has been issued.

That silence has regulatory consequences. Most US states require breach notification within thirty to ninety days, depending on jurisdiction, for incidents that expose name plus contact information. California's CCPA, Colorado's CPA, and a half dozen newer state laws all have specific timelines for telling customers their data was exposed. The Trump Mobile customer base spans every state, so the company is now on the clock in every jurisdiction. Montana's MCDPA, which lost its cure period in April, allows direct enforcement actions without a warning letter.

Whether any state attorney general decides to enforce against the President's brand is a separate question. The political calculus is uncomfortable. The legal exposure is not theoretical.

What to Do If You Pre Ordered

First, assume your name, home address, email, and phone number are now in the hands of multiple researchers and—through normal information laundering channels—soon to be in the hands of phishing operators. Treat any email referencing your T1 order with the same skepticism you would apply to any unexpected message. Do not click links inside such emails. Navigate to the Trump Mobile website directly by typing the address into your browser.

Second, watch your inbox for the actual breach notification that Trump Mobile is now legally required to send. The notification is supposed to come from the company's verified domain. If you do not receive one within the next thirty days, you can file a complaint with your state attorney general's consumer protection office.

Third, harden the email account you used for the pre order. Turn on two factor authentication. Review the recovery phone and recovery email entries—those are the side door an attacker uses to take over the account once they have your contact details. Consider whether the email address you used is one you can afford to compartmentalize away from your primary identity. Pre order data leaks are the most common trigger for the kind of phishing that ends with someone losing access to their entire Google account.

Fourth, expect tracking pixels in the inevitable shipping notification emails. Marketing emails almost universally contain spy pixels that report when and where you read each message. For customers whose home address is already exposed, the read state on those marketing pixels is one more data point in a profile that the breach has already enriched.

The Bigger Picture

Trump Mobile is, technically, a small breach. Twenty seven thousand records is two orders of magnitude smaller than the ShinyHunters Salesforce dumps that hit Carnival, Vimeo, and Hallmark earlier in May. What makes it noteworthy is the trivial nature of the vulnerability. An API endpoint that returns customer records with no authentication is the kind of mistake that gets a junior developer pulled aside in code review at a competent organization. It survived to production at Trump Mobile.

The pattern is recognizable. New consumer brands launching with aggressive marketing and limited engineering oversight repeatedly ship the same classes of bugs—unauthenticated APIs, sequential IDs that double as primary keys, no rate limiting at the edge. The 2024 Twitter and OkCupid breaches, the 2025 Disney+ password reset bypass, and now Trump Mobile all follow the same blueprint.

For consumers, the takeaway is operational. The legibility of a brand has no relationship to the maturity of its infrastructure. The fact that a President is putting his name on a product is no signal at all about whether the engineering team building that product has ever heard the phrase "rate limiting." When the next shiny new brand wants your address and email at checkout, the default assumption should be that, eventually, both fields end up somewhere you would prefer they not.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.