Barely a few days after T-Mobile suffered a security breach in which “only” two million
customers were affected, fellow cell carrier Sprint has also had to deal with security issues of their own.
A security researcher, according to a report by TechCrunch, managed to gain access into an internal Sprint staff portal.
Once inside, they could have access to customer data. And since Boost Mobile and Virgin Mobile are subsidiaries of Sprint, their customers were also
The researcher even went a little further in, gaining access to a portal for customer account data.
This gave them the power to “conduct a device swap, change plans and add-ons,
replenish a customer’s account, check activation status and view customer account information,” according to the report.
So, how did the researcher ‘hack’ into the portal? Via the complicated and highly sophisticated method of guessing the login details.
The exact credentials that were used were not published, but apparently they were really quite easy to guess.
That’s not all, the researcher managed to guess two different sets of credentials.
The first was used to gain initial access to the staff portal, and the second was used to get to the portal that could allow someone with malicious intent to potentially mess with any customer, as
long as they knew their mobile number and four-digit PIN.
“But the PIN should have kept them out,” shouldn’t it?
Maybe, that is if there was a limit to the number of attempts to entering the PIN.
A simple brute force search through all possible combinations would find the PIN, no matter what it was.
Sprint was contacted about the security issue, and while they did promptly change their passwords, they gave out flimsy statements about the security of their customers being “top priority,” and about “working diligently to research this issue.”
The consolation here is that no data was actually leaked, and that the portal itself is not public knowledge.
But this is telling of a major issue that really shouldn’t still exist in 2018: too many
people are not security conscious, even in large organisations where there really is a lot.
All it takes is one easily guessed password and everything you want to keep under lock might be compromised.
In any case, there is a lesson to be learnt: don’t use weak passwords.