Given that password theft from major tech companies like Yahoo has become routine, most large firms now store their users’ passwords in an encrypted format. Keeping a list of users’ passwords in plaintext creates a huge risk—stealing that password database can give a hacker access to millions of accounts. And if a company’s users reuse their passwords on other websites, the breach can put a customer’s entire online identity at risk.
That’s why T-Mobile’s apparent admission this week that it stores at least parts of customers’ passwords in plaintext is potentially a colossal fuckup.
Earlier this week, a customer service representative using T-Mobile’s Austria Twitter account wrote that reps for the company can view the first four characters of a customer’s password.
“The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login,” the rep wrote.
Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for https://t.co/vJapgJ50qc ^andrea
— T-Mobile Austria (@tmobileat) 4 April 2018
As Motherboard reported, those four characters could be used to guess or brute-force a password.
But when customers pointed this out, T-Mobile responded that its security was too good for hackers to breach. “I really do not get why this is a problem. You have so many passwords for evey [sic] app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear,” a rep wrote.
Hi @c_pellegrino, I really do not get why this is a problem. You have so many passwords for evey app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear. ^Käthe
— T-Mobile Austria (@tmobileat) 5 April 2018
A spokesperson for T-Mobile Austria said, “Customer service agents see only parts of customers’ passwords which are safely stored in encrypted databases. We are also using one-time-PINs for customer authentication and are evaluating voice biometrics for a better user experience.”