T-Mobile Austria stores passwords as plaintext
According to a thread on Twitter T-Mobile in Austria is storing passwords as plain text. This is noted by multiple customers of the operator as customer service requires verification by asking four first character of the password.
T-Mobile has responded that their databases are secure and encrypted on disk, but this does not matter as if someone gets remote access to the database they can read the password clearly. This is the case in a similar breach where around 130,000 logins and passwords were leaked in Finland. In the meanwhile T-Mobile rep stated that this is not likely:
What if this doesn't happen because our security is amazingly good?
In addition it seems that the passwords are case insensitive as the case in the password does not make a difference.
Anyone using the same passwords for multiple systems is at risk. For telecom operators or email accounts login leaks are especially bad, because users could potentially get additional SIMs and use the accounts to reset passwords using SMS authentication or email password resets.
Read the tweet from Claudia Pellegrino and the follow the thread below:
Max. 16 chars, ASCII only, mandatory security question, pasting disabled for confirm password and answer fields. @Telekom_hilft @PWTooStrong pic.twitter.com/vbwKuna80M
— Claudia Pellegrino (@c_pellegrino) April 1, 2018