There’s nothing funny about the hack attack at T-Mobile that let roughly 2 million users with their names, billing zip codes, phone numbers, email addresses, and other account info compromised. What is funny, however, is how one T-Mobile representative in Austria seemed to practically be challenging hackers to attack the company just a few months before the hack.
This is more than just a funny true story – it’s also a great illustration of how some companies and people can stand to become a lot more serious about cybersecurity.
On April 3rd, a few Twitter users began discussing a worrying thought – that T-Mobile Austria was probably storing user passwords in plain text.
Plain-text passwords are a bad idea. The minimum standard for password storage is called hashing. This uses a complex algorithm to turn your password into a garbled mess of text that is then stored by the company. Any system you enter your password into can compare to see if your password is correct without ever storing it in a format that is easy for humans to read.
The T-Mobile representative, however, thought this was nonsense.
There are lots of ways for a company to approach cyber-security and protect its users, from common-sense procedures to advanced software suites. On the easier end of the spectrum, rule No. 1 might be “Don’t taunt hackers into attacking your company by revealing a vulnerability and then saying your security is amazingly good.”
Not only did the rep confirm that they store plain-text passwords, she also decided to scoff at the suggestion that they should tighten their security.
On August 20th, T-Mobile noticed evidence of a hack that accessed sensitive user information. A few days later, they announced that the compromised information “may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”
Note: If you’re a T-Mobile customer, click here to read their announcement and find out what you should do.
Fortunately, they also claimed that no sensitive information (like card numbers or passwords) was stolen (one must assume that the hack did not occur in Austria, or that they managed to clean up their act).
There is no obvious link between the tweets from April and the attack on T-Mobile in August. It’s also not yet entirely clear whether T-Mobile Austria was effected. If either of those things turns out to be true, however, I don’t think anyone would be surprised.
T-Mobile isn’t the only company with a flippant take on cybersecurity – it’s just the example du jour. There are lessons to be learned here for any security-conscious consumer, not just T-Mobile clients:
Take your online security into your hands! Sign up for our newsletter below to receive more free online privacy and security tips.