Given that password theft from major tech companies like Yahoo has become routine, most large firms now store their usersā passwords in an encrypted format. Keeping a list of usersā passwords in plaintext creates a huge riskāstealing that password database can give a hacker access to millions of accounts. And if a companyās users reuse their passwords on other websites, the breach can put a customerās entire online identity at risk.
Thatās why T-Mobile Austriaās apparent admission this week that it stores at least parts of customersā passwords in plaintext is potentially a colossal fuckup.
Earlier this week, a customer service representative using T-Mobileās Austria Twitter account wrote that reps for the company can view the first four characters of a customerās password.
āThe customer service agents see the first four characters of your password. We store the whole password, because you need it for the login,ā the rep wrote.
Advertisement
As Motherboard reported, those four characters could be used to guess or brute-force a password.
But when customers pointed this out, T-Mobile responded that its security was too good for hackers to breach. āI really do not get why this is a problem. You have so many passwords for evey [sic] app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear,ā a rep wrote.
Advertisement
āT-Mobile US customer care representatives cannot see passwords, and we do not store passwords in plain text,ā a T-Mobile US spokesperson said. Gizmodo reached out to T-Mobile for more information about how its Austria business stores and secures customer passwords, and will update if we hear back.
Update 7:00 p.m.: A spokesperson for T-Mobile Austria said, āCustomer service agents see only parts of customersā passwords which are safely stored in encrypted databases. We are also using one-time-PINs for customer authentication and are evaluating voice biometrics for a better user experience.āĀ
