Vulnerabilities at AT&T, T-Mobile and Sprint Could Have Exposed Customer Data

Vulnerabilities at AT&T, T-Mobile and Sprint Could Have Exposed Customer Data

Last week was not a good week for telecommunications companies.

Security researchers have uncovered security flaws with systems at AT&T, Sprint and T-Mobile that could have left customer data accessible to bad actors.

The flaws impacting AT&T and T-Mobile were first reported. In T-Mobile's case, an "engineer mistake" between Apple's online storefront and T-Mobile's account validation API allowed for an unlimited number of attempts on an online form, which would allow a hacker to use commonly-available tools to guess an account PIN or the last four digits in a customer's social security numbers, in what's called a brute-force attack. The vulnerability has since been fixed.

A similar problem occurred with phone insurance company Asurion and its AT&T customers. An online form would allow anyone with a customer's phone number to access a form that allowed them unlimited guesses to guess a customer's passcode, leaving it vulnerable to another brute-force attack. The vulnerability has since been fixed.

At Sprint, security researchers were able to access an internal portal because of a "weak, easy-to-use usernames and passwords," compounded with the lack of two-factor authentication. Once in, the researcher was reportedly able to access customer account information for Sprint, Boost Mobile, and Virgin Mobile. The researcher also reported that anyone who gained access could make changes to customer accounts and that customers PINs could be brute-forced.

A Sprint spokesperson confirmed the vulnerability to TechCrunch, and noted that it didn't believe that any customers were affected by the vulnerability. The spokesperson said they were working to fix the issue.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

  • How COVID-19 Has Revolutionized Aviation Security Let's Talk Sports Security

    In this episode of SecurPod, Ralph C. Jensen and Fred Burton discuss security tactics at sporting events, from dealing with unruly fans to coordination between the home and visitors' teams to identifying potential stalkers. We also talk about the logistics of re-opening mass-attendance venues in the wake of the COVID-19 pandemic.

Digital Edition

  • Security Today Magazine - May June 2021

    May June 2021

    Featuring:

    • Tapping into Touch-free Digital
    • Deep Learning
    • Working from Home
    • Body-worn Technology
    • A Tragic Turn of Events

    View This Issue

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • Spaces4Learning
  • Campus Security & Life Safety