T-Mobile customers' passwords could be vulnerable

T-Mobile customers' passwords could be vulnerable
In this age where 87 million Facebook users had their profiles used without permission, you might expect that carriers around the world would be super protective of their subscribers' personal information. But a series of tweets from T-Mobile Austria indicate that the wireless operator gives customer service reps the first four characters of customers' passwords and that the whole password is stored in plaintext. If a hacker (let's call him Johnny Badappleseed) has the tech to come up with the rest of the password using bruteforce or just makes a lucky guess, Mr. Badappleseed could make changes to the customer's account without permission. We already know what could happen in a situation like that. And if there is a complete data breach, all of T-Mobile Austria's customers could find their passwords strewn all over the internet.

After receiving several incredulous tweets about the apparent lack of security, another tweet from T-Mobile Austria basically said that its subscribers have nothing to worry about because "We secure all data very carefully, so there is not a thing to fear." It has been our experience that when someone tells you not to worry about something, it is time to start worrying. Same as when someone says "Believe me." Those two words are usually followed by the biggest lies.

T-Mobile Austria made a brief statement that tried to characterize this whole thing as a "misunderstanding" about how the carrier stores customer passwords and what is available to customer service reps. However, a quick call to T-Mobile revealed that customer service reps do have the ability to see the first four characters of your password not only in Austria, but also in the U.S. The rep that we spoke with told us that in the states, T-Mobile now wants your password to contain a minimum of six different numbers. However, the first four numbers will still be visible to T-Mobile customer service reps in the U.S.

Just a couple of hours ago, T-Mobile Austria tweeted out a new statement stating that there is no data breach at the carrier and it goes on to say that "databases are encrypted and secured," but that further security measures will be taken "as necessary." Check out the complete series of tweets in the slideshow below.

source: @tmobileat via Motherboard



1. Arch_Fiend

Posts: 3951; Member since: Oct 03, 2015

Let them steal my s**t so i can sue T-mobile.

2. cartersumpter

Posts: 5; Member since: Oct 07, 2011

Please change the article title to clarify that this is T-Mobile Austria, and not T-Mobile US, so that it looks less like a shady piece of clickbait BS.

3. zecks420

Posts: 8; Member since: Nov 12, 2013

Please remove this inacurate information. We do not see the first 4 of the password period. This is absolutely incorrect. No U.S. 4ep sees any part of the password. I work for the mobile USA.

4. ShadowHammer

Posts: 209; Member since: Mar 13, 2015

I've never had a T-Mobile rep ask for that information. However, I have had them ask for the last 4 digits of my SSN for verification, which is very common in the US to confirm identity.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.