T-Mobile says it’s lost the account details of two million of its users. The company soft-pedalled the announcement, saying that some customer data ‘may have been exposed’ before they caught the leak.
In fact, around 3% of T-Mobile’s customer base – two million people – may have been affected by the leak, which laid open customer names, billing zip codes, email addresses, account numbers and account types (whether the account is prepaid or postpaid.)
Initially the company said that credit card numbers, social security numbers and passwords hadn’t been accessed, but it later turned out that ‘encrypted passwords’ were accessed.
Again, T-Mobile tried to pedal backwards: the hackers wouldn’t be able to read the passwords they’d stolen because they’re encrypted.
But that might be wrong too.
T-Mobile may have used an obsolete encryption protocol…
Security researchers believe that T-Mobile used the MD-5 encryption algorithm to protect customer passwords – an algorithm whose on author said was ‘no longer safe’ – in 2012.
T-Mobile declined to confirm whether it used MD-5, but said the hackers were ‘international,’ which could just mean they took a plane to Paris the weekend after they broke the security of a $26 billion company, but is clearly meant to imply that T-Mobile was beaten by Sneakers, or something. Maybe it was kids, who knows.
…if they used one at all
What we do know about the T-Mobile hack is that T-Mobile gave away its own weaknesses in a series of tweets in April this year, in which it patiently explained to one Claudia Pellegrino that it kept its customers’ passwords on its database in clear text – that is, unencrypted. After Pellegrino approached the company on Twitter, T-Mobile representative Andrea explained:
That’s OK then. It’s not just customer service agents who can see your unencrypted password – though that’s enough of a security nightmare by itself. Anyone who breaches the database can see anything that’s inside it that isn’t additionally encrypted – obviously. And millions and millions of easily-accessible customer passwords make the effort needed to break even the strongest protection around that database well worth the effort – obviously.
So T-Mobile explained the situation to Claudia with a totally reasonable analogy:
Suppose there is, though. I mean, just supposing…
Never gonna happen.
Turns out, T-Mobile’s security isn’t that amazing. On this Twitter thread, company representatives boasted about how awesome their security was, brushed off the concerns of people who actually knew a little about security, and advertized the fact that they had a honeypot of weakly-protected customer data – things that thread participants pointed out at the time, four months ago.
How serious is the hack?
This has the potential to be a disaster for some T-Mobile customers; or most it will hopefully just be an inconvenience, though thieves who have both hacked and publicly-available information on you can much more easily steal your identity, for instance, so even relatively innocuous leaks can have major consequences.
However, it does illustrate a larger point: just because it’s a huge corporation with big buildings and millions of customers, doesn’t mean they have any idea what they’re doing, or that your data is safe with them. You have to assume that you’re responsible for your own data security. Even when corporations aren’t selling it, stealing it from each other, handing it over to the state without a whimper or collecting it by the truckload without your knowledge or consent, they just can’t seem to hang on to it.
It’s ironic that the businesses that have both driven and profited by society’s digital transformation are so completely at sea in the resulting environment. But it’s also kind of scary.
To keep your data secure, use a different password for each site – and get a VPN if you want to keep yourself from being tracked online.