A self-taught tech enthusiast who goes by the name “Louis” claims he found a vulnerability in the Trump Mobile website that let him extract customer data using simple HTTP POST requests. He says the flaw exposed information for more than 27,000 customers who had placed orders.
The issue appears to have been fixed, although Trump Mobile has not publicly confirmed the vulnerability or responded to media inquiries.
The Register reported on the claim. Louis described himself as “just a nerd between jobs with too much time on my hands” and declined to be called a security researcher.
What Data Was Exposed and How the Trump Mobile Flaw Worked
Louis claims to have accessed data that includes first and last names, primary and secondary addresses, email addresses, phone numbers, customer and account numbers, and enrollment IDs such as pre-order numbers.
The data also indicates whether the order was placed by phone or online. Based on his description, the data did not appear to include payment card numbers or other directly financial credentials.
Louis explained that the issue was not due to a SQL injection or a more sophisticated attack. He said that by sending a simple HTTP POST request to the website’s API endpoint from a browser console, he was able to retrieve customer records directly.
The endpoint returned ten records at a time, with each record containing a customer number that could be used to access additional records. Louis estimated that his script collected roughly 5,000 customer records in about an hour. He confirmed that the issue was valid and subsequently deleted the data collected by his script.
Disclosure Attempts, Trump Mobile’s Silence, and the T1 Phone Launch
Louis tried to disclose the findings to Trump Mobile and other parties who could take action but received no response. The vulnerability seems to have been fixed despite the lack of communication.
When he was unable to reach Trump Mobile through standard channels, he shared his findings with two YouTube creators known to have ordered the Trump T1 phone: Stephen “Coffeezilla” Findeisen and Charles “penguinz0” White Jr.
Their videos about these findings have collectively garnered millions of views. The Register also said it contacted Trump Mobile and did not get a response.
The disclosure comes as the Trump T1 smartphone begins reaching pre-order customers this week, after initially being scheduled for release in August 2025. The device is priced at $499 as part of a promotional offer.
Although the brand promoted the device as “Made in America” when it was announced in June 2025, customers who have received it confirm that it is a reskinned HTC U-24 Pro. This mid-range Android phone was originally released by Taiwanese manufacturer HTC in June 2024. The “Made in America” label has since been removed from Trump Mobile’s marketing.
The phone features an American flag embossed on the back, but it has only 11 stripes instead of the usual 13. The T1 comes with 512GB of storage, a 120Hz display, a Snapdragon 7 chip, and has Truth Social pre-installed.
What Affected Trump Mobile Customers Should Do Now
Customers who pre-ordered through Trump Mobile should stay alert for potential phishing attempts using the leaked information. Email addresses, phone numbers, and physical addresses from this data set are often exploited in targeted scam campaigns.
Users might also consider setting up identity monitoring through their bank or credit card provider, and should be cautious of any unexpected calls or messages referencing Trump Mobile orders. Trump Mobile has not issued a public notice to affected customers nor confirmed the extent of the data exposure.
