How Honest Was T-Mobile about the Enormous Data Breach?

Another significant data breach affecting an international company was recently disclosed. T-Mobile announced that it was hit by hackers and as a result of the attack, personal information of some 2 million customers was compromised.

This personal information includes name, billing zip code, phone number, email address, account number, and account type. It is believed that financial data, social security numbers or passwords weren’t compromised in the data breach.

Were passwords compromised in the T-Mobile data breach?

Apparently, Motherboard has spoken with a T-Mobile spokesperson who said that encrypted passwords were included in the data that was hacked. This is odd since in the original announcement T-Mobile initially said that no passwords were harvested.

Motherboard then asked why the company used that specific wording, the spokesperson said in a message: “Because they weren’t [compromised]. They were encrypted.” The media also highlighted that:

The spokesperson declined to specify how those passwords were encrypted, or what hashing algorithm was used. Hours after this story was published, security researcher Nicholas Ceraolo reached out claiming that the data exposed in the breach was more than what T-Mobile disclosed. The researcher shared a sample of allegedly compromised data that included a field called “userpassword” and what looks like a hash, which is a cryptographic representations of a password.

It should be noted that the researcher said he was not involved in the hack but obtained the sample from a “mutual friend”, the media reported.

That’s not all, however. Two different researchers shared the above-mentioned hash which apparently may be “an encoded string hashed with the notoriously weak algorithm called MD5”. This algorithm is not that difficult to crack, especially with the help of brute-force attacks.

What is in the official T-Mobile statement?

This is what the announcement reads:

On August 20, (Read more…)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Milena Dimitrova. Read the original post at: