company of the week: t-mobile — neobotnet<br>Most people picture T-Mobile as a phone carrier. From the outside, the scope looks like something else: a network assembled from rivals it bought — Sprint, MetroPCS, and US Cellular — with their prepaid brands and an advertising business folded in. The single most revealing thing it leaves in public isn't a product page or a press release. It's a login page — and read across the whole estate, the login pages answer a question the press releases don't: which of these acquisitions actually became one company.
T-Mobile runs a public bug bounty on Bugcrowd, which puts its public web surface in scope for outside research. neobotnet mapped that surface — explore the full index in /urls.
17<br>in-scope roots
10,185<br>dns resolved
248<br>live web servers
103<br>technologies
107,899<br>urls indexed
what's reachable
The scope is not one company. It is seventeen root domains that trace four acquisitions and an ad-tech arm:
t-mobile.com / metrobyt-mobile.com the carrier + Metro prepaid<br>sprint.com Sprint (merged 2020, domain still live)<br>uscc.com / uscc.net / uscellular.com US Cellular (acquired 2024)<br>assurancewireless.com Lifeline prepaid (arrived via Sprint)<br>blis.com + *audience.com (×7) T-Mobile Advertising / Blis
The legacy carriers account for most of the names. t-mobile.com carries 4,547 discovered hostnames, and uscc.com and uscc.net add another 4,949 between them. uscc.net, though, serves no live web pages at all — thousands of its names resolve in DNS but return nothing over HTTP. A large pool of resolving-but-silent hostnames is common in the years after an acquisition: while two networks are being combined, a lot of inherited infrastructure keeps its DNS entry without yet serving a public website.
The same shape holds across the whole estate. Of everything in scope:
10,185 hostnames resolve in DNS.
780 of those answer an HTTP request at all.
248 return an HTTP 200.
166 serve a page with a real title.
That leaves roughly 98% of the resolving names as infrastructure rather than public web pages.
The DNS records also show how that infrastructure is hosted. A host's CNAME target — the canonical name it points to — names its provider directly: more than 1,900 hostnames resolve through Akamai , several hundred more through Microsoft Azure , and 445 through AWS . The SaaS layer is just as visible: ServiceNow , Salesforce and Pardot , Adobe Experience Manager, Zendesk , Imperva , and LotusFlare (a digital-commerce platform built for telecom operators).
That is a map of T-Mobile's vendor stack, drawn entirely from public DNS — before a single one of those servers is probed.
the login pages
T-Mobile's login pages read like an acquisition timeline. They're visible at all because a login page is the one internal entrance a company publishes on purpose — staff, partners, and dealers have to sign in from somewhere — so in an estate where 98% of hosts serve nothing public, the sign-in pages are most of what's left to read. And each company T-Mobile absorbed kept its own — its own identity vendor, on its own infrastructure, all still running side by side.
T-Mobile's own apps live on Microsoft Entra (Azure AD). The consumer login at account.t-mobile.com sits behind Akamai; a whole family of internal line-of-business apps — alm.internal, billerdirect, dealerorder, commercial-reporting, physicalaccess-idv — is published to the internet through Azure AD Application Proxy (every one CNAME'd to *.msappproxy.net, all under a single Entra tenant). Two dozen more hosts under *.docs.t-mobile.com all return the same Microsoft "Sign in to your account" screen. This is the consolidated, modern half of the estate.
An older T-Mobile system is still up underneath it. sts.t-mobile.com runs Microsoft ADFS — the previous generation of federation — and it's served from T-Mobile's own network rather than a CDN. The new identity stack didn't replace the old one; it was layered on top of it.
US Cellular brought its own identity provider, and it never moved. login.uscellular.com is a separate SAML system (/idp/SSO.saml2) running on Cloudflare — a completely different edge from T-Mobile's Akamai. Its QA environment, login-sqa.uscellular.com, is publicly reachable too, sharing the same Cloudflare addresses as production.
Sprint's identity service outlived the Sprint brand. Five years after the merger, idam.sprintdrive.sprint.com is still issuing OAuth flows on the Sprint domain.
Four identity systems, four acquisitions, four different pieces of infrastructure. You can read how far the integration has actually gotten just by looking at where the login pages are hosted — and the answer is "T-Mobile's own apps are merged; the companies it bought are not."
reading the login urls
Login pages don't only tell you which system you've hit. The parameters in their URLs tell a researcher how the system is wired, and that is where exposure starts to show. neobotnet indexed 107,899 URLs here; the most...