I probably started three phone purchases and didn't buy any of them
In the early days of a much-delayed product launch, Trump Mobile — the smartphone venture bearing one of America's most recognizable political names — finds itself navigating a quieter kind of vulnerability: not a breach of vaults, but a crack in the facade through which the identities of roughly 27,000 curious customers briefly spilled into view. Discovered by chance and reported in good faith, the flaw serves as a reminder that even the most prominent enterprises are not exempt from the unglamorous realities of digital infrastructure. No financial data was taken, but trust, once questioned, requires more than a patch to restore.
- A simple numbering flaw in Trump Mobile's website silently exposed the names, addresses, phone numbers, and emails of up to 27,000 people who had browsed or attempted to preorder its T1 smartphone.
- An Australian IT worker stumbled upon the vulnerability by accident, and a Columbia University programmer later confirmed the exposure by analyzing the retrieved code — neither had to work hard to find it.
- The counter that tracked orders had reached 27,224, but the true number of committed buyers is far lower, since the system captured anyone who so much as started a purchase and walked away.
- Trump Mobile insists its core systems, payment infrastructure, and banking data were never compromised, and has engaged cybersecurity professionals to investigate and assess notification obligations.
- The incident lands at an already complicated moment — the T1 phone is only now shipping after nearly a year of delays, and its original 'proudly built in the US' promise has quietly softened to components 'primarily manufactured' domestically.
Trump Mobile, the cellular and smartphone venture tied to the Trump family business, is investigating a website security flaw that exposed personal details — names, addresses, phone numbers, and email addresses — of approximately 27,000 people who had shown interest in its gold-colored T1 smartphone. Payment data, banking information, and Social Security numbers were not affected.
The vulnerability was discovered by accident by an Australian IT professional, who reported it to the company. Jonathan Soma, a programmer and Columbia University professor, later analyzed the underlying code and found the flaw operated through a basic order-numbering system — each new browsing session incremented a counter, which had reached 27,224 by the time the issue was identified. Crucially, Soma noted that the figure included anyone who had started but abandoned a purchase, meaning far fewer people had actually completed a preorder. 'I probably started three phone purchases and didn't buy any of them,' he said.
Trump Mobile maintained that its core systems and infrastructure were not directly compromised, and said it was working with independent cybersecurity professionals while evaluating its legal notification obligations. Customers were advised to stay alert for suspicious communications and reminded that the company would never solicit sensitive information through unsolicited contact.
The exposure arrives as Trump Mobile finally begins shipping the T1 — a phone announced in June 2025 to coincide with the tenth anniversary of Donald Trump's first presidential campaign, and promised by Eric Trump and Donald Trump Jr. as a 'sleek, gold smartphone' proudly made in America. After nearly a year of delays, CEO Pat O'Brien confirmed the first units were assembled domestically, though future phones would use components only 'primarily manufactured' in the US — a quiet retreat from the original pledge. The incident, while not a catastrophic breach, casts a shadow over a launch already tested by time.
Trump Mobile, the cellular service and smartphone venture launched by Donald Trump's family business, is investigating a website vulnerability that exposed the personal information of roughly 27,000 people who attempted to purchase its gold-colored T1 smartphone. The exposure included names, addresses, email addresses, phone numbers, and order identifiers—but not payment card data, banking information, or Social Security numbers, according to a statement the company provided to the Guardian.
An Australian programmer working in information technology discovered the flaw by accident and reported it to Trump Mobile. Jonathan Soma, a programmer and professor at Columbia University in New York, later examined the underlying code the Australian had retrieved from the Trump Mobile website. The vulnerability operated through a simple numbering system: each potential order incremented a counter by one, and that counter had reached 27,224 by the time the flaw was identified. Soma noted, however, that this figure included people who had abandoned their shopping carts before completing a purchase or paying any deposit, meaning the actual number of completed preorders was substantially lower. "I probably started three phone purchases and didn't buy any of them," Soma said, illustrating how the exposure swept up far more browsing activity than actual sales.
Trump Mobile stated that its own systems, infrastructure, and network had not been directly compromised. The company said it was working with independent cybersecurity professionals to investigate the incident and was evaluating what notification obligations it might have to affected individuals. The company advised customers to watch for suspicious emails, calls, or text messages related to their orders and reminded them that Trump Mobile would never request sensitive information through unsolicited contact.
The security discovery arrives as Trump Mobile begins shipping its delayed T1 smartphones to customers. The company announced the phone in June 2025, coinciding with the tenth anniversary of Donald Trump's first presidential campaign. At that time, Eric Trump and Donald Trump Jr. promised a "sleek, gold smartphone" that would be "proudly designed and built in the US." The phones faced nearly a year of delays before distribution started. Last week, the company's chief executive, Pat O'Brien, said the first T1 units were assembled in the United States and that future phones would use components "primarily manufactured" domestically—a shift from the original American manufacturing pledge. O'Brien declined to disclose how many preorders the company had received but told USA Today that Trump Mobile was "incredibly pleased" with customer interest.
The website vulnerability underscores the security risks that can emerge even in high-profile product launches. The flaw was neither a direct breach of Trump Mobile's core systems nor a theft of financial data, but it did expose the contact information of tens of thousands of people who had shown interest in the product. As the company implements additional safeguards and monitors for further issues, it faces the task of notifying affected customers while maintaining confidence in its nascent cellular service.
Citas Notables
Based on the available information, we have not identified evidence that Trump Mobile's systems, infrastructure, or network were directly compromised.— Trump Mobile statement
The incident does not appear to involve Trump Mobile payment card information, banking information, Social Security numbers, call records, text messages, or other highly sensitive financial data.— Trump Mobile statement
La Conversación del Hearth Otra perspectiva de la historia
How does a website flaw like this even happen? Didn't anyone test the site before launch?
The vulnerability wasn't in Trump Mobile's core systems—it was in how the website displayed order data. A simple numbering system that incremented with each attempt. It's a common pattern in e-commerce, but when exposed, it becomes a window into customer activity.
So 27,000 people had their information leaked?
Not exactly. That number includes people who never finished buying anything—they clicked around, started filling out forms, then left. The actual number of real customers is probably much smaller. But yes, anyone who touched that form had their name and address exposed.
Why does it matter that the phones were supposed to be made in America?
Because it shows the gap between the promise and the reality. They launched with "proudly designed and built in the US," but now they're saying components are "primarily manufactured" locally. The security flaw happened while they're already managing expectations about manufacturing.
Did Trump Mobile's own systems get hacked?
No. That's what they're emphasizing. The flaw was in how the website was structured, not in a breach of their servers or networks. It's a different kind of vulnerability—more about poor design than active attack.
What happens to those 27,000 people now?
The company is deciding whether it's legally required to notify them. They're warning people to watch for suspicious contact claiming to be from Trump Mobile. But the real risk is low—scammers now know these people were interested in the phone, which is valuable information for targeted fraud.
Is this going to hurt the phone launch?
It's a complication, but not catastrophic. No financial data was stolen. The company can frame this as a discovered-and-fixed problem. What matters more is whether customers trust them going forward, especially after the manufacturing delays.