edestrians walk by a T-Mobile store.
Photo: Justin Sullivan (Getty)

Given that password theft from major tech companies like Yahoo has become routine, most large firms now store their usersā€™ passwords in an encrypted format. Keeping a list of usersā€™ passwords in plaintext creates a huge riskā€”stealing that password database can give a hacker access to millions of accounts. And if a companyā€™s users reuse their passwords on other websites, the breach can put a customerā€™s entire online identity at risk.

Thatā€™s why T-Mobile Austriaā€™s apparent admission this week that it stores at least parts of customersā€™ passwords in plaintext is potentially a colossal fuckup.

Advertisement

Earlier this week, a customer service representative using T-Mobileā€™s Austria Twitter account wrote that reps for the company can view the first four characters of a customerā€™s password.

ā€œThe customer service agents see the first four characters of your password. We store the whole password, because you need it for the login,ā€ the rep wrote.

Advertisement

As Motherboard reported, those four characters could be used to guess or brute-force a password.

But when customers pointed this out, T-Mobile responded that its security was too good for hackers to breach. ā€œI really do not get why this is a problem. You have so many passwords for evey [sic] app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear,ā€ a rep wrote.

Advertisement

ā€œT-Mobile US customer care representatives cannot see passwords, and we do not store passwords in plain text,ā€ a T-Mobile US spokesperson said. Gizmodo reached out to T-Mobile for more information about how its Austria business stores and secures customer passwords, and will update if we hear back.

Update 7:00 p.m.: A spokesperson for T-Mobile Austria said, ā€œCustomer service agents see only parts of customersā€™ passwords which are safely stored in encrypted databases. We are also using one-time-PINs for customer authentication and are evaluating voice biometrics for a better user experience.ā€Ā