Another significant data breach affecting an international company was recently disclosed. T-Mobile announced that it was hit by hackers and as a result of the attack, personal information of some 2 million customers was compromised.
This personal information includes name, billing zip code, phone number, email address, account number, and account type. It is believed that financial data, social security numbers or passwords weren’t compromised in the data breach.
Were passwords compromised in the T-Mobile data breach?
Apparently, Motherboard has spoken with a T-Mobile spokesperson who said that encrypted passwords were included in the data that was hacked. This is odd since in the original announcement T-Mobile initially said that no passwords were harvested.
Motherboard then asked why the company used that specific wording, the spokesperson said in a message: “Because they weren’t [compromised]. They were encrypted.” The media also highlighted that:
The spokesperson declined to specify how those passwords were encrypted, or what hashing algorithm was used. Hours after this story was published, security researcher Nicholas Ceraolo reached out claiming that the data exposed in the breach was more than what T-Mobile disclosed. The researcher shared a sample of allegedly compromised data that included a field called “userpassword” and what looks like a hash, which is a cryptographic representations of a password.
It should be noted that the researcher said he was not involved in the hack but obtained the sample from a “mutual friend”, the media reported.
That’s not all, however. Two different researchers shared the above-mentioned hash which apparently may be “an encoded string hashed with the notoriously weak algorithm called MD5”. This algorithm is not that difficult to crack, especially with the help of brute-force attacks.
What is in the official T-Mobile statement?
This is what the announcement reads:
On August 20, our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).
How is T-Mobile informing affected customers about the breach?
The company should have started sending out text messages to affected customers on August 24th. The message should contain the following text:” Hello—We ID’d & shut down an unauthorized capture of your info. No financial info/SSN taken but some personal info may have been. More: t-mo.co/security.”
Have you received such a message? What is your opinion about the data breach and how T-Mobile is handling it? Let us know in the comments below!