A self-taught tech enthusiast going by the name “Louis” claims he found a vulnerability in the Trump Mobile website that allowed him to extract customer data using simple HTTP POST requests. They say that due to this flaw, the information of more than 27,000 customers who had placed orders was exposed.
The issue appears to have been fixed, although Trump Mobile has not publicly confirmed the vulnerability or responded to media inquiries.
The Register reported on the claim. Lewis described himself as “just an idiot between jobs with too much time on my hands” and refused to be called a security researcher.
What data was exposed and how the Trump Mobile flaw worked
Lewis claims it has accessed data that includes first and last names, primary and secondary addresses, email addresses, phone numbers, customer and account numbers and enrollment IDs such as pre-order numbers.
The data also shows whether the order was placed by phone or online. Based on their description, the data did not appear to include payment card numbers or other direct financial evidence.
Lewis explained that the problem was not caused by SQL injection or a more sophisticated attack. He said that by sending a simple HTTP POST request from the browser console to the website’s API endpoint, he was able to get customer records directly.
The endpoint returned ten records at a time, each record containing a customer number that could be used to access additional records. Lewis estimated that his script collected about 5,000 customer records in about an hour. They confirmed that the issue was legitimate and later deleted the data collected by their script.
Disclosure efforts, Trump Mobile’s silence, and T1 phone launch
Lewis tried to disclose the findings to Trump Mobile and other parties who could take action but received no response. The vulnerability appears to have been fixed despite the lack of communication.
When he was unable to reach Trump Mobile through standard channels, he shared his findings with two YouTube creators known to have ordered a Trump T1 phone: Stephen “CoffeeZilla” Findeisen and Charles “Penguinz0” White Jr.
Their videos about these findings have collectively been viewed millions of times. The Register also said it contacted Trump Mobile and did not receive a response.
The reveal comes as the Trump T1 smartphone began reaching pre-order customers this week after being scheduled for release in August 2025. Under the promotional offer, the price of the device has been kept at $499.
Although when the device was announced in June 2025, the brand promoted it as “Made in America”, customers who have received it confirm that it is a new HTC U-24 Pro. This mid-range Android phone was originally released by Taiwanese manufacturer HTC in June 2024. The “Made in America” label has since been removed from Trump Mobile’s marketing.
The phone has an American flag emblazoned on the back, but it only has 11 stripes instead of the usual 13. The T1 comes with 512GB storage, a 120Hz display, a Snapdragon 7 chip, and comes pre-installed with Truth Social.
What should affected Trump Mobile customers do now?
Customers who pre-ordered through Trump Mobile should be alert to possible phishing attempts using leaked information. Email addresses, phone numbers, and physical addresses from this data set are often used in targeted scam campaigns.
Users may also consider setting up identity monitoring through their bank or credit card provider, and should be wary of any unexpected calls or messages referencing Trump Mobile orders. Trump Mobile has not issued any public notice to affected customers or confirmed the extent of the data exposure.
