T-Mobile and Sprint, slated for a $26 billion, mid-2019 mega-merger, have been hit by separate security breaches, the former in a cyber attack and the latter in a vulnerability uncovered by a researcher.
T-Mobile’s breach dates to August 20, when the carrier discovered that hackers had gained unauthorized access to an undisclosed number of customers’ confidential information, including names, billing zip code, phone number, email address, account numbers and types, but not passwords.
According to T-Mobile, no financial data, such as credit card information or social security numbers, were stolen in the heist. The company publicly revealed the break-in four days later, when its posted an open letter on its website to customers saying it had “promptly reported” the breach to law enforcement.
“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” the blog post read. “We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.”
T-Mobile Breach: 2 Million Customer Records?
While the carrier didn’t publicly disclose the number of customers affected in the hack, it told Motherboard that the cyber robbery involved some two million people. In addition, T-Mobile revealed that encrypted passwords had been exposed, seemingly contradicting earlier word that no passwords were involved. The company subsequently contended that since the passwords were encrypted they weren’t compromised. Still, a password expert told Motherboard that customers should assume their password has been cracked and change it.
One security expert called the breach “too close of a call for comfort. This should serve as yet another wake up call to CTOs, CIOs and CISOs to ensure companies are implementing security best practices like a layered approach to protection and updating any out of date security devices,” Bill Conner, SonicWall president and CEO, told MSSP Alert in an email. “Transparency is key. Organizations must work with their trusted security provider to understand current security risks, and implement a customized plan to ensure protection for your stakeholders.”
Sprint: Poor Password Management
As for Sprint, an unnamed researcher was able to access one of the telecom's internal portals by using two sets of poor, easily guessed usernames and passwords, TechCrunch reported. A log-in page for the portal apparently didn’t require two-factor authentication, enabling the researcher to find pages to potentially gain access to customer account data, the report said.
Sprint, which confirmed the researcher’s findings in an email to TechCrunch, denied that “customer information can be obtained without successful authentication to the site...Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts,” a Sprint spokesperson reportedly said.