Monday 19th November 2018

T-Mobile’s Twitter tailspin: They partly store passwords in plain text and ‘don’t get why it’s a problem’

Jason Smith
by on 7th April 2018

In an astonishing exchange between T-Mobile Austria’s social media representative and an ever-growing number of Twitter users, the telecommunications giant has admitted storing part of its customers’ passwords in plain text.

In response to Twitter users pointing out the obvious security implications, T-Mobile’s social media representative stated “I really do not get why this is a problem. You have so many passwords for eve[r]y app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear”.

When another Twitter user questioned what happens if T-Mobile’s systems are breached, the representative nonchalantly stated “What if this doesn’t happen because our security is amazingly good?”

User passwords are stored in databases and security researchers often go to great lengths to emphasize the importance of hashing passwords to minimize the impact of a security breach.

Moreover, hashing passwords also prevents internal staff from seeing a password and, in the event of a breach, hackers replicating the breach by targeting users’ accounts on other platforms (using the same passwords).

The T-Mobile representative stated that customer service agents “see the first four characters of your password,” however even exposing part of the password can make it significantly easier for a hacker to guess the rest.

In the rapidly expanding thread of replies, another Twitter user stated “you’re now number 1 target for black hats”.

This isn’t the first time questions have been posed about T-Mobile’s data security. Late last year a security researcher identified a hole in the telecommunication company’s API.

The API was misconfigured and accepted queries containing a mobile phone number. If queried with a phone number, the API responded with account information associated with that phone number, including the customer’s email address, account numbers, answers to security questions and device identification numbers.