Given that password theft from major tech companies like Yahoo has become routine, most large firms now store their users’ passwords in an encrypted format. Keeping a list of users’ passwords in plaintext creates a huge risk—stealing that password database can give a hacker access to millions of accounts. And if a company’s users reuse their passwords on other websites, the breach can put a customer’s entire online identity at risk.
That’s why T-Mobile Austria’s apparent admission this week that it stores at least parts of customers’ passwords in plaintext is potentially a colossal fuckup.
Earlier this week, a customer service representative using T-Mobile’s Austria Twitter account wrote that reps for the company can view the first four characters of a customer’s password.
“The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login,” the rep wrote.
As Motherboard reported, those four characters could be used to guess or brute-force a password.
But when customers pointed this out, T-Mobile responded that its security was too good for hackers to breach. “I really do not get why this is a problem. You have so many passwords for evey [sic] app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear,” a rep wrote.
“T-Mobile US customer care representatives cannot see passwords, and we do not store passwords in plain text,” a T-Mobile US spokesperson said. Gizmodo reached out to T-Mobile for more information about how its Austria business stores and secures customer passwords, and will update if we hear back.
Update 7:00 p.m.: A spokesperson for T-Mobile Austria said, “Customer service agents see only parts of customers’ passwords which are safely stored in encrypted databases. We are also using one-time-PINs for customer authentication and are evaluating voice biometrics for a better user experience.”
DISCUSSION
Fuck T-Mobile. They’re terrible. For the past few months I can’t log in to their client pages using the browser that came with my antivirus. It just returns a database error. Standard Chrome? It works just fine.