Given that password theft from major tech companies like Yahoo has become routine, most large firms now store their users’ passwords in an encrypted format. Keeping a list of users’ passwords in plaintext creates a huge risk—stealing that password database can give a hacker access to millions of accounts. And if a company’s users reuse their passwords on other websites, the breach can put a customer’s entire online identity at risk.
That’s why T-Mobile Austria’s apparent admission this week that it stores at least parts of customers’ passwords in plaintext is potentially a colossal fuckup.
Earlier this week, a customer service representative using T-Mobile’s Austria Twitter account wrote that reps for the company can view the first four characters of a customer’s password.
“The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login,” the rep wrote.
https://twitter.com/embed/status/981418339653300224
As Motherboard reported, those four characters could be used to guess or brute-force a password.
But when customers pointed this out, T-Mobile responded that its security was too good for hackers to breach. “I really do not get why this is a problem. You have so many passwords for evey [sic] app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear,” a rep wrote.
https://twitter.com/embed/status/981785213549383680
“T-Mobile US customer care representatives cannot see passwords, and we do not store passwords in plain text,” a T-Mobile US spokesperson said. Gizmodo reached out to T-Mobile for more information about how its Austria business stores and secures customer passwords, and will update if we hear back.
Update 7:00 p.m.: A spokesperson for T-Mobile Austria said, “Customer service agents see only parts of customers’ passwords which are safely stored in encrypted databases. We are also using one-time-PINs for customer authentication and are evaluating voice biometrics for a better user experience.”
