Close-up of a smartphone screen showing notification alerts

TL;DR:

  • The leak: Trump Mobile’s website exposed customer data (names, home addresses, email addresses, phone numbers, and order details) through a trivially simple HTTP request anyone could execute from a browser console. [1][2][3]
  • The scale: Over 27,000 pre-order customers were potentially exposed. A researcher extracted 5,000 records in a single hour. No hacking tools required: just a POST request. [2][3]
  • The response: Trump Mobile ignored repeated contact attempts from the researcher and from YouTubers Coffeezilla and penguinz0. Days later, after TechCrunch published the story, the company blamed a “third-party platform provider” and said no breach occurred. [1][4]
  • The irony: The T1 phone markets itself as a “premium smartphone for performance & privacy.” It shipped months late at $499. The company claimed 590,000 pre-orders. The leaked data suggests the real number is closer to 27,000. [2][3][5]

A POST Request. That’s It.

The person who found the vulnerability goes by “Louis.” He describes himself as “just a nerd between jobs with too much time on my hands.” He’s not a professional security researcher. He was just poking around the Trump Mobile website. [3]

What he found was staggering in its simplicity.

“It was as easy as going to the website and writing a very simple HTTP POST request into the console,” Louis told The Register. No SQL injection. No sophisticated exploit. Just a basic browser request that returned customer records, ten at a time, looping through customer numbers to pull the full database. [3]

In one hour, he extracted roughly 5,000 customer records. Each record contained: [2][3]

  • First and last names
  • Primary and secondary mailing addresses
  • Email addresses and phone numbers
  • Customer account numbers
  • Enrollment IDs (pre-order numbers)
  • Order method (phone or online)

Credit card numbers weren’t exposed. But home addresses and phone numbers? For customers of the President’s phone brand? That’s a doxing risk that goes beyond standard breach territory.

Nobody Picked Up the Phone

Louis tried to contact Trump Mobile. No response. He reached out to YouTubers Stephen “Coffeezilla” Findeisen and Charles “penguinz0” White Jr. (both of whom had ordered the T1 phone) and proved the breach was real by showing them their own leaked data. [1][2]

They tried to contact Trump Mobile too. Nothing.

“All of us have been met with radio silence,” penguinz0 said. [1]

Coffeezilla was more direct: “Do not order on trumpmobile.com unless you’re ready for your information to be leaked.” [1]

Their videos collectively pulled millions of views. TechCrunch published on May 20, 2026. The Register followed on May 22. Only then did Trump Mobile acknowledge anything. [1][2][3][4]

“No Breach of Our Network”

On May 22, Trump Mobile spokesperson Chris Walker finally responded to TechCrunch. His statement: the exposure was “linked to a third-party platform provider that supports certain Trump Mobile operations.” The company claimed no breach of its own network, systems, or infrastructure occurred. [4]

Translation: it wasn’t our servers, it was our vendor’s servers. The customers whose data was exposed probably don’t care about the distinction.

Walker said the company was “evaluating whether customer notification obligations applied.” [4] Under most state breach notification laws, exposing names combined with home addresses or phone numbers triggers mandatory disclosure. The fact that Trump Mobile was still “evaluating” days after confirmation tells you how seriously they’re taking this.

The unnamed third-party vendor was never identified. The vulnerability appears to have been patched at some point, though the timeline remains unclear. [3][4]

27,000 vs. 590,000

Here’s the side story nobody at Trump Mobile wants you to notice.

When the T1 phone was announced in August 2025, Trump Mobile claimed 590,000 pre-orders. The phone was supposed to ship that month. It didn’t arrive until May 2026, nine months late. [2][3][5]

The leaked data tells a different story. Based on unique customer IDs in the exposed database, approximately 27,000 people actually ordered the phone. [2] That’s less than 5% of the claimed figure.

The T1 itself is a $499 Android device with a gold case and an American flag on the back. It runs on a Qualcomm Snapdragon 7 series chip with a 6.78-inch display, 512GB storage, and a 5,000mAh battery. The service plan (called “The 47 Plan”) costs $47.45 a month and includes international calling to 100+ countries. [5]

The phone’s own marketing page advertises it as a “premium American-made smartphone for performance & privacy.” [5]

Privacy. From the company that couldn’t secure a POST request.

If You Ordered a T1

If you’re one of the ~27,000 people who pre-ordered, your data was likely exposed. Here’s what to do:

  • Watch for phishing. Your name, address, email, and phone number are now potentially in the wild. Expect targeted scam emails and texts referencing your Trump Mobile order.
  • Monitor your accounts. While credit cards weren’t exposed, the combination of name + address + phone number + email is enough for social engineering attacks on your other accounts.
  • Freeze your credit. With your full name and home address, someone can attempt identity theft. A credit freeze at Equifax, Experian, and TransUnion is free and takes five minutes.
  • Document everything. If Trump Mobile contacts you about notification, save it. If they don’t contact you within 30 days, that may itself be a violation of your state’s breach notification law.
  • Consider filing a complaint. Your state attorney general handles breach notification enforcement. If Trump Mobile doesn’t notify you, they should hear about it.

The Pattern

Trump Mobile isn’t the first company to ship a product while leaving customer data wide open. But the combination of factors here is something:

A phone that markets itself on privacy. A website so poorly secured that a hobbyist could download the entire customer database from a browser console. A company that ignored disclosure attempts until journalists forced a response. And inflated sales numbers that the company’s own data contradicts.

State attorneys general in New York, California, and other states with strong breach notification laws will likely be watching whether Trump Mobile meets its disclosure obligations. Given the political sensitivity of the customer list (these are people who ordered the President’s phone), the stakes for affected individuals go beyond typical breach risk.

Your home address. Your phone number. Your name. Linked to a political purchase. Sitting on an unsecured API endpoint. That’s the “privacy” Trump Mobile delivered.

Sources

  1. TechCrunch: Customers Say Trump Mobile Is Leaking Their Personal Information (May 20, 2026)
  2. TechCrunch: Trump Mobile Confirms It Exposed Customers’ Personal Data (May 22, 2026)
  3. The Register: Trump Mobile Site Leaks Customer Data as Phone Finally Ships (May 22, 2026)
  4. Engadget: Trump Mobile Has Exposed Customer Personal Data (May 2026)
  5. Smartprix: Trump Mobile T1 Phone Specifications and Price (2026)