Recent T-Mobile and AT&T Data Breach Linked to Website Flaws
- Both T-Mobile and AT&T suffered from data breaches which led to user pins being potentially exposed.
- The security flaws were identified by security researchers Ryan and Nicholas Ceraolo.
- The flaws allowed anyone to take a T-Mobile or AT&T number and hijack the user’s phone card and pink.
T-Mobile suffered a recent data breach that could have exposed user data of up to 2 million of its 77 million users. According to independent research conducted and reported to Buzzfeed News, both T-Mobile and AT&T’s security flaws were due to insecure website pages. Security researchers Phobia (Ryan Ceraolo) and Convict (Nicholas Ceraolo) identified the flaws in the carriers web API.
The T-Mobile vulnerability was found in the carrier’s link to the Apple online store which allowed users to purchase Apple iPhones and 4G iPads with T-Mobile connections. Apple’s online shopping portal allowed the carrier’s users to guess the account pin unlimited times instead of a fixed number of attempts in other secure platforms. It allowed hackers to run all the possible combinations and identify the private account pins through hacking tools.
Image Courtesy of Buzzfeed
Once the right T-Mobile pin would be identified, it could be used to hijack the user’s SIM card and phone number with full access. Subsequently, access to the pin allows hackers to remove two-factor authentication or access private text messages with the four-digit code. Phobia and Convict also revealed that AT&T suffered a very similar vulnerability in a page that allowed users to file insurance claims. Similar to the T-Mobile exploit, hackers with access to an AT&T phone number could run all possible 4 digit pins until the correct one would be identified.
Instagram suffered a similar data breach recently with users reporting their accounts being hacked due to a flaw in how the two-factor authentication system worked. Users who use online services with PIN-based security should use physical 2FA keys or temporary access keys as an added layer of security to prevent data breaches. The telecoms have already fixed the vulnerabilities and are working towards improving data security.
What do you think about the recent data breaches suffered by the carriers? Let us know in the comments below. Also, to get instant tech updates, follow TechNadu’s Facebook page, and Twitter handle.