Given that password theft from major tech companies like Yahoo has become routine, most large firms now store their users’ passwords in an encrypted format. Keeping a list of users’ passwords in plaintext creates a huge risk—stealing that password database can give a hacker access to millions of accounts. And if a company’s users reuse their passwords on other websites, the breach can put a customer’s entire online identity at risk.
That’s why T-Mobile Austria’s apparent admission this week that it stores at least parts of customers’ passwords in plaintext is potentially a colossal fuckup.
Earlier this week, a customer service representative using T-Mobile’s Austria Twitter account wrote that reps for the company can view the first four characters of a customer’s password.
“The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login,” the rep wrote.
*$13 for 48 AA, $12 for 48 AAA, $8 for 20 AAA, $8 for four 9V batteries
As Motherboard reported, those four characters could be used to guess or brute-force a password.
But when customers pointed this out, T-Mobile responded that its security was too good for hackers to breach. “I really do not get why this is a problem. You have so many passwords for evey [sic] app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear,” a rep wrote.
“T-Mobile US customer care representatives cannot see passwords, and we do not store passwords in plain text,” a T-Mobile US spokesperson said. Gizmodo reached out to T-Mobile for more information about how its Austria business stores and secures customer passwords, and will update if we hear back.
Update 7:00 p.m.: A spokesperson for T-Mobile Austria said, “Customer service agents see only parts of customers’ passwords which are safely stored in encrypted databases. We are also using one-time-PINs for customer authentication and are evaluating voice biometrics for a better user experience.”
DISCUSSION
Fuck T-Mobile. They’re terrible. For the past few months I can’t log in to their client pages using the browser that came with my antivirus. It just returns a database error. Standard Chrome? It works just fine.