A self-taught tech enthusiast who goes by the name “Louis” claims he found a vulnerability on Trump Mobile’s website that allowed him to extract customer data using simple HTTP POST requests. It says the flaw exposed information from more than 27,000 customers who had placed orders.
The issue appears to have been fixed, although Trump Mobile has not publicly confirmed the vulnerability or responded to media inquiries.
The Registry reported on the claim. Louis described himself as “just a nerd between jobs with too much time on his hands” and refused to be called a security researcher.
What data was exposed and how Trump’s mobile bug worked
Louis claims to have accessed data including first and last names, primary and secondary addresses, email addresses, phone numbers, account and customer numbers, and enrollment IDs such as pre-order numbers.
The data also indicates whether the order was placed by phone or online. From its description, the data did not appear to include payment card numbers or other directly financial credentials.
Louis explained that the problem was not due to a SQL injection or a more sophisticated attack. He said that by sending a simple HTTP POST request to the website’s API endpoint from a browser console, he was able to retrieve customer logs directly.
The endpoint returned ten records at a time, and each record contained a client number that could be used to access additional records. Louis estimated that his script collected approximately 5,000 customer records in about an hour. He confirmed that the issue was valid and subsequently deleted the data collected by his script.
Disclosure attempts, Trump Mobile’s silence and the launch of the T1 phone
Louis attempted to disclose the findings to Trump Mobile and other parties who could take action, but received no response. The vulnerability appears to have been fixed despite the lack of communication.
When he couldn’t reach Trump Mobile through standard channels, he shared his findings with two YouTube creators known to have ordered the Trump T1 phone: Stephen “Coffeezilla” Findeisen and Charles “penguinz0” White Jr.
Their videos about these findings have collectively garnered millions of views. The Register also said it contacted Trump Mobile and did not get a response.
The disclosure comes as the Trump T1 smartphone begins arriving to pre-order customers this week, after it was initially scheduled to launch in August 2025. The device is priced at $499 as part of a promotional offer.
Although the brand promoted the device as “Made in America” when it was announced in June 2025, customers who received it confirm that it is a redesigned HTC U-24 Pro. This mid-range Android phone was originally released by Taiwanese manufacturer HTC in June 2024. The “Made in America” label has since been removed from Trump Mobile’s marketing.
The phone features an embossed American flag on the back, but it only has 11 stripes instead of the usual 13. The T1 comes with 512GB of storage, a 120Hz display, a Snapdragon 7 chip, and has Truth Social preinstalled.
What affected Trump Mobile customers should do now
Customers who pre-ordered through Trump Mobile should remain alert for possible phishing attempts using the leaked information. Email addresses, phone numbers, and physical addresses in this data set are often exploited in targeted scam campaigns.
Users may also consider setting up identity monitoring through their bank or credit card provider, and should be wary of any unexpected calls or messages referencing orders from Trump Mobile. Trump Mobile has not issued a public notice to affected customers or confirmed the extent of the data exposure.
